{ "type": "URL", "indicator": "https://ssl580924.cloudflaressl.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ssl580924.cloudflaressl.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3896835152, "indicator": "https://ssl580924.cloudflaressl.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6671e5844c155814e69ba4dd", "name": "Mirai Botnet Injection affecting Alienvault.", "description": "It's unclear if some users or service itself is injecting users or if service is under a Mirai attack. I found evidence of both outbound & inbound activities. *Crowdsourced context: Activity related to MIRAI - according to source Cluster25 - \nThis IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.\n#zbetcheckin tracker\nDownloaded on 2023-11-07 19:34:59 UTC\nSRC URL : http://171.228.209.167/x86_64\nIP : 171.228.209.167\nAS : AS7552 Viettel Group\nYARA : #contentis_base64 #debuggerpattern__rdtsc #ip #math_entropy_6 #is__elf #http #ft_elf #executable_elf64", "modified": "2024-07-18T19:02:50.386000", "created": "2024-06-18T19:52:36.849000", "tags": [ "problems", "threat network", "infrastructure", "historical ssl", "microsoft stuff", "domain check", "referrer", "generic malware", "injector", "no data", "tag count", "fri mar", "analyzer threat", "ip summary", "url summary", "summary", "downloader", "generic", "united", "as14315", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "files", "america asn", "unknown", "ransom", "body", "coinminer", "malware generic", "wed jan", "first", "status", "creation date", "search", "date", "expiration date", "name servers", "next", "mirai", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "reverse dns", "location lao", "viet nam", "domain", "all search", "otx scoreblue", "hostname", "files ip", "lazarus", "as7552 viettel", "vietnam unknown", "win32", "worm", "win32sfone jul", "vietnam", "etag", "telecom", "as16625 akamai", "as20940", "germany", "united kingdom", "singapore", "as20546 soprado", "hong kong", "as45102 alibaba", "taobao network", "cname", "aaaa", "entries", "showing", "a domains", "as38731 vietel", "plesk", "a li", "default page", "plesk a", "mirai variant", "useragent", "apache", "accept", "hello", "create c", "read c", "delete", "write", "default", "create", "show", "medium", "dock", "execution", "copy", "xport", "address", "as131392", "cape", "orsam", "malware", "script urls", "moved", "record value", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malicious site", "phishing site", "malicious url", "opencandy", "exploit", "agent", "phishing", "acint", "iframe", "crack", "conduit", "artemis", "riskware", "mimikatz", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "filetour", "cleaner", "wacatac", "outbreak", "installcore", "iobit", "rostpay", "dropper", "mediaget", "related pulses", "whois", "related", "msil", "zombie", "dridex", "location viet", "pulse submit", "url analysis", "content", "google tag", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "deep malware", "iframes", "trackers", "external-resources", "text/html", "elf info", "header class", "elf64 data", "header version", "os abi", "unix", "v object", "file type", "exec", "executable file", "progbits", "type address", "offset size", "flags", "null", "nobits", "strtab", "ip detections", "country", "us bundled", "detections file", "name", "graph summary", "get hello", "jaws webserver", "outbound", "mvpower dvr", "shell uce", "inbound", "activity mirai", "mirai", "info", "performs dns", "mitre att", "access ta0006", "os credential", "dumping t1003", "enumerates", "command", "control ta0011", "protocol t1071", "protocol t1095", "relacionada", "mirai malware", "mirai 04022024", "nciipc", "ip reputaion", "msie", "windows nt", "slcc2", "media center", "china as37963", "simplified", "trojanspy", "virustotal", "panda", "detections type", "shell", "javascript", "dns replication", "files referring", "lookups", "as7552", "vhash", "ssdeep", "magic elf", "sysv", "trid elf", "executable", "linux", "elf executable", "loccel1", "echobot", "bashlite", "malwarebazaar", "echobot malware", "win32 exe", "magic msdos", "pe32 executable", "intel", "ms windows", "trid dos", "compiler", "delphi", "serial number", "algorithm", "thumbprint", "valid from", "code signing", "from", "microsoft root", "name microsoft", "verisign time", "stamping", "contained", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "regsetvalueexa", "type rtrcdata", "sha256 file", "threat roundup", "october", "august", "june", "september", "highly targeted", "cyberstalking", "round", "december", "sneaky server", "facebook", "stealer", "agent tesla", "pony", "april", "whitelisted", "encrypt", "targeting", "tsara brashears", "otx", "alienvault", "memcommit", "regsz", "regopenkeyexw", "english", "module load", "t1129", "t1082", "windows module", "dlls", "redline stealer", "updater", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "data redacted", "cloudflare", "redacted", "for privacy", "code", "server", "registrar abuse", "redacted for", "postal code", "registrant name", "red team", "shit", "logistics", "cyber defense", "gootloader", "march", "sinkhole", "just", "ramnit", "netsupport rat", "microsoft", "vault", "karen", "gifts", "hidden privacy", "threats", "malicious", "darkgate", "core", "hacktool", "emotet" ], "references": [ "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://otx.alienvault.com/indicator/domain/bunny.net", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "AV Detection: ELF:Mirai-GH\\ [Trj]", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "Was anyone else notified? I'm not sure why I was.", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "CS Sigma: Matches rule Python Initiated Connection by frack113" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "ALF:E5.SpikeAex.rhh_mcv", "display_name": "ALF:E5.SpikeAex.rhh_mcv", "target": null }, { "id": "Win.Dropper.Bulz-9910065-0", "display_name": "Win.Dropper.Bulz-9910065-0", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Win.Dropper.Autoit-6688751-0", "display_name": "Win.Dropper.Autoit-6688751-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Win.Dropper.Dridex-9986041-0", "display_name": "Win.Dropper.Dridex-9986041-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zombie", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zombie", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Worm:Win32/Sfone", "display_name": "Worm:Win32/Sfone", "target": "/malware/Worm:Win32/Sfone" }, { "id": "Win.Malware.Bbabdcdc-7358312-0", "display_name": "Win.Malware.Bbabdcdc-7358312-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "trojan.mirai/fszhh", "display_name": "trojan.mirai/fszhh", "target": null }, { "id": "DDOS:Linux/Mirai", "display_name": "DDOS:Linux/Mirai", "target": "/malware/DDOS:Linux/Mirai" }, { "id": "ANDROID/AVE.Mirai.fszhh", "display_name": "ANDROID/AVE.Mirai.fszhh", "target": null }, { "id": "Flyagent L", "display_name": "Flyagent L", "target": null }, { "id": "Win-Trojan/Malpacked5.Gen", "display_name": "Win-Trojan/Malpacked5.Gen", "target": null }, { "id": "Atros3.LDJ", "display_name": "Atros3.LDJ", "target": null }, { "id": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "display_name": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "target": null }, { "id": "TrojanSpy:Win32/Gucotut.A", "display_name": "TrojanSpy:Win32/Gucotut.A", "target": "/malware/TrojanSpy:Win32/Gucotut.A" }, { "id": "W32/Pidgeon-A", "display_name": "W32/Pidgeon-A", "target": null }, { "id": "Variant.Zusy.151902", "display_name": "Variant.Zusy.151902", "target": null }, { "id": "trojan.mirai/fedr", "display_name": "trojan.mirai/fedr", "target": null }, { "id": "Win.Malware.Trojanx-9862538-0", "display_name": "Win.Malware.Trojanx-9862538-0", "target": null }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "virus.ramnit/nimnul", "display_name": "virus.ramnit/nimnul", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 351, "FileHash-SHA1": 349, "FileHash-SHA256": 3715, "domain": 3326, "hostname": 5200, "URL": 13151, "email": 9, "CVE": 7, "CIDR": 2 }, "indicator_count": 26110, "is_author": false, "is_subscribing": null, "subscriber_count": 248, "modified_text": "681 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66577ac0e1788e544c312e3f", "name": "Backdoor:MSIL/Noancooe.A | Network sniffing Lime bandit", "description": "Backdoor:MSIL/Noancooe.A: Backdoor arrives on a system as a file dropped by other malware or as a file downloaded giving malicious hackers unauthorized access and control of your PC.", "modified": "2024-06-28T18:00:33.800000", "created": "2024-05-29T18:58:08.465000", "tags": [ "algorithm", "full name", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "date", "code", "first", "server", "privacy notice", "aaaa", "google", "july", "xcitium verdict", "record type", "ttl value", "data", "name verdict", "falcon sandbox", "jpeg image", "jfif standard", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "ck matrix", "united", "et tor", "path", "mask", "hybrid", "generator", "local", "click", "strings", "union", "#metoo", "russell mcveagh", "grope", "moved", "civicaig", "now hiring", "apple", "unknown", "a domains", "passive dns", "urls", "creation date", "status", "search", "expiration date", "hong kong", "as133775 xiamen", "germany unknown", "scan endpoints", "all scoreblue", "body", "next", "hacking", "critical", "jailbreak", "m", "tech", "hit", "men", "sreredrum", "lime", "as24940 hetzner", "cname", "germany", "as16276", "domain", "spain unknown", "as31898 oracle", "as396982 google", "as5617 orange", "poland unknown", "as8881", "as19905", "msil", "kiwis", "sabey data centers", "nemtih", "attack tsara brashears", "t phone", "t mail", "t", "lakewood", "arvada", "jeff reimer dpt", "jeffrey scott", "lakeside", "grey st", "capture", "aquire", "aig", "sammie", "smith", "johnson", "xfinity", "whisper", "sky", "cybercrime", "true", "cyprus", "attack path", "pattern match" ], "references": [ "www.russellmcveagh.com - Law Firm (front?) Document Moved", "Russell McVeagh - New Zealand's leading commercial law firm, known as the go-to team for tackling complex legal problems.", "www.auth.civicalg.com.sni.cloudflaressl.com | civicalg.com", "It's all the same | AIG, Michael Roberts Rexxfield 'bounty hunter' Brian Sabey HallRender (?)", "This area is swarming with PI's (his , hers and theirs)", "Hired hackers to jailbreak and locate devices. Brute forces, business and personal devices, network attacked.", "Crime scene unit vans from different county.", "Front Range security guard w/unsolicited account of on premise hacker causeing outage. Why would he be 'in the know, or giving information?", "sonar.lg-nonprod.civicalg.com (dangerous) peneservice71.auth.civicalg.com, install.civicalg.com", "#MeToo - A former Russell McVeagh partner found guilty of \"disgraceful\" sexual misconduct at the heart of New Zealand's #MeToo movement.", "http://droid--apk-ru.webpkgcache.com/", "http://e.name/?C.push.apply | https://application.t.email/backscreen", "appleread.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:MSIL/Noancooe.A", "display_name": "Backdoor:MSIL/Noancooe.A", "target": "/malware/Backdoor:MSIL/Noancooe.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 695, "URL": 1111, "FileHash-MD5": 7, "FileHash-SHA1": 17, "FileHash-SHA256": 230, "domain": 643, "email": 9, "SSLCertFingerprint": 6 }, "indicator_count": 2718, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "701 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "This area is swarming with PI's (his , hers and theirs)", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "It's all the same | AIG, Michael Roberts Rexxfield 'bounty hunter' Brian Sabey HallRender (?)", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate", "sonar.lg-nonprod.civicalg.com (dangerous) peneservice71.auth.civicalg.com, install.civicalg.com", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "http://droid--apk-ru.webpkgcache.com/", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "CS Sigma: Matches rule Python Initiated Connection by frack113", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "Was anyone else notified? I'm not sure why I was.", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "Front Range security guard w/unsolicited account of on premise hacker causeing outage. Why would he be 'in the know, or giving information?", "Crime scene unit vans from different county.", "Hired hackers to jailbreak and locate devices. Brute forces, business and personal devices, network attacked.", "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "www.auth.civicalg.com.sni.cloudflaressl.com | civicalg.com", "appleread.net", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "Russell McVeagh - New Zealand's leading commercial law firm, known as the go-to team for tackling complex legal problems.", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "#MeToo - A former Russell McVeagh partner found guilty of \"disgraceful\" sexual misconduct at the heart of New Zealand's #MeToo movement.", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "wallpapers-nature.com", "http://e.name/?C.push.apply | https://application.t.email/backscreen", "AV Detection: ELF:Mirai-GH\\ [Trj]", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "www.russellmcveagh.com - Law Firm (front?) Document Moved", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://otx.alienvault.com/indicator/domain/bunny.net" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Virus.ramnit/nimnul", "Generic", "Elf:mirai-gh\\ [trj]", "W32/pidgeon-a", "Win32:malware-gen", "Flyagent l", "Win.packer.pkr_ce1a-9980177-0", "Win32:pwsx-gen\\ [trj]", "Win32:trojan-gen", "Trojan.mirai/fszhh", "Win.malware.trojanx-9862538-0", "A variant of win32/flystudio.packed.ad potentially unwanted", "Win-trojan/malpacked5.gen", "Unix.trojan.mirai-9441505-0", "Android/ave.mirai.fszhh", "Alf:heraklezeval:trojan:win32/clipbanker", "Atros3.ldj", "Win.malware.bbabdcdc-7358312-0", "Ddos:linux/mirai", "Trojanspy:win32/gucotut.a", "Worm:win32/sfone", "Variant.zusy.151902", "Win.dropper.autoit-6688751-0", "Win.dropper.dridex-9986041-0", "Alf:e5.spikeaex.rhh_mcv", "Win.dropper.bulz-9910065-0", "Worm:win32/sfone.a", "Backdoor:msil/noancooe.a", "Alf:heraklezeval:trojan:win32/zombie", "Trojan.mirai/fedr" ], "industries": [ "Technology", "Telecommunications", "Education", "Civil society", "Government" ], "unique_indicators": 35948 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloudflaressl.com", "whois": "http://whois.domaintools.com/cloudflaressl.com", "domain": "cloudflaressl.com", "hostname": "ssl580924.cloudflaressl.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6671e5844c155814e69ba4dd", "name": "Mirai Botnet Injection affecting Alienvault.", "description": "It's unclear if some users or service itself is injecting users or if service is under a Mirai attack. I found evidence of both outbound & inbound activities. *Crowdsourced context: Activity related to MIRAI - according to source Cluster25 - \nThis IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.\n#zbetcheckin tracker\nDownloaded on 2023-11-07 19:34:59 UTC\nSRC URL : http://171.228.209.167/x86_64\nIP : 171.228.209.167\nAS : AS7552 Viettel Group\nYARA : #contentis_base64 #debuggerpattern__rdtsc #ip #math_entropy_6 #is__elf #http #ft_elf #executable_elf64", "modified": "2024-07-18T19:02:50.386000", "created": "2024-06-18T19:52:36.849000", "tags": [ "problems", "threat network", "infrastructure", "historical ssl", "microsoft stuff", "domain check", "referrer", "generic malware", "injector", "no data", "tag count", "fri mar", "analyzer threat", "ip summary", "url summary", "summary", "downloader", "generic", "united", "as14315", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "files", "america asn", "unknown", "ransom", "body", "coinminer", "malware generic", "wed jan", "first", "status", "creation date", "search", "date", "expiration date", "name servers", "next", "mirai", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "reverse dns", "location lao", "viet nam", "domain", "all search", "otx scoreblue", "hostname", "files ip", "lazarus", "as7552 viettel", "vietnam unknown", "win32", "worm", "win32sfone jul", "vietnam", "etag", "telecom", "as16625 akamai", "as20940", "germany", "united kingdom", "singapore", "as20546 soprado", "hong kong", "as45102 alibaba", "taobao network", "cname", "aaaa", "entries", "showing", "a domains", "as38731 vietel", "plesk", "a li", "default page", "plesk a", "mirai variant", "useragent", "apache", "accept", "hello", "create c", "read c", "delete", "write", "default", "create", "show", "medium", "dock", "execution", "copy", "xport", "address", "as131392", "cape", "orsam", "malware", "script urls", "moved", "record value", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malicious site", "phishing site", "malicious url", "opencandy", "exploit", "agent", "phishing", "acint", "iframe", "crack", "conduit", "artemis", "riskware", "mimikatz", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "filetour", "cleaner", "wacatac", "outbreak", "installcore", "iobit", "rostpay", "dropper", "mediaget", "related pulses", "whois", "related", "msil", "zombie", "dridex", "location viet", "pulse submit", "url analysis", "content", "google tag", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "deep malware", "iframes", "trackers", "external-resources", "text/html", "elf info", "header class", "elf64 data", "header version", "os abi", "unix", "v object", "file type", "exec", "executable file", "progbits", "type address", "offset size", "flags", "null", "nobits", "strtab", "ip detections", "country", "us bundled", "detections file", "name", "graph summary", "get hello", "jaws webserver", "outbound", "mvpower dvr", "shell uce", "inbound", "activity mirai", "mirai", "info", "performs dns", "mitre att", "access ta0006", "os credential", "dumping t1003", "enumerates", "command", "control ta0011", "protocol t1071", "protocol t1095", "relacionada", "mirai malware", "mirai 04022024", "nciipc", "ip reputaion", "msie", "windows nt", "slcc2", "media center", "china as37963", "simplified", "trojanspy", "virustotal", "panda", "detections type", "shell", "javascript", "dns replication", "files referring", "lookups", "as7552", "vhash", "ssdeep", "magic elf", "sysv", "trid elf", "executable", "linux", "elf executable", "loccel1", "echobot", "bashlite", "malwarebazaar", "echobot malware", "win32 exe", "magic msdos", "pe32 executable", "intel", "ms windows", "trid dos", "compiler", "delphi", "serial number", "algorithm", "thumbprint", "valid from", "code signing", "from", "microsoft root", "name microsoft", "verisign time", "stamping", "contained", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "regsetvalueexa", "type rtrcdata", "sha256 file", "threat roundup", "october", "august", "june", "september", "highly targeted", "cyberstalking", "round", "december", "sneaky server", "facebook", "stealer", "agent tesla", "pony", "april", "whitelisted", "encrypt", "targeting", "tsara brashears", "otx", "alienvault", "memcommit", "regsz", "regopenkeyexw", "english", "module load", "t1129", "t1082", "windows module", "dlls", "redline stealer", "updater", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "data redacted", "cloudflare", "redacted", "for privacy", "code", "server", "registrar abuse", "redacted for", "postal code", "registrant name", "red team", "shit", "logistics", "cyber defense", "gootloader", "march", "sinkhole", "just", "ramnit", "netsupport rat", "microsoft", "vault", "karen", "gifts", "hidden privacy", "threats", "malicious", "darkgate", "core", "hacktool", "emotet" ], "references": [ "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://otx.alienvault.com/indicator/domain/bunny.net", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "AV Detection: ELF:Mirai-GH\\ [Trj]", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "Was anyone else notified? I'm not sure why I was.", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "CS Sigma: Matches rule Python Initiated Connection by frack113" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "ALF:E5.SpikeAex.rhh_mcv", "display_name": "ALF:E5.SpikeAex.rhh_mcv", "target": null }, { "id": "Win.Dropper.Bulz-9910065-0", "display_name": "Win.Dropper.Bulz-9910065-0", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Win.Dropper.Autoit-6688751-0", "display_name": "Win.Dropper.Autoit-6688751-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Win.Dropper.Dridex-9986041-0", "display_name": "Win.Dropper.Dridex-9986041-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zombie", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zombie", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Worm:Win32/Sfone", "display_name": "Worm:Win32/Sfone", "target": "/malware/Worm:Win32/Sfone" }, { "id": "Win.Malware.Bbabdcdc-7358312-0", "display_name": "Win.Malware.Bbabdcdc-7358312-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "trojan.mirai/fszhh", "display_name": "trojan.mirai/fszhh", "target": null }, { "id": "DDOS:Linux/Mirai", "display_name": "DDOS:Linux/Mirai", "target": "/malware/DDOS:Linux/Mirai" }, { "id": "ANDROID/AVE.Mirai.fszhh", "display_name": "ANDROID/AVE.Mirai.fszhh", "target": null }, { "id": "Flyagent L", "display_name": "Flyagent L", "target": null }, { "id": "Win-Trojan/Malpacked5.Gen", "display_name": "Win-Trojan/Malpacked5.Gen", "target": null }, { "id": "Atros3.LDJ", "display_name": "Atros3.LDJ", "target": null }, { "id": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "display_name": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "target": null }, { "id": "TrojanSpy:Win32/Gucotut.A", "display_name": "TrojanSpy:Win32/Gucotut.A", "target": "/malware/TrojanSpy:Win32/Gucotut.A" }, { "id": "W32/Pidgeon-A", "display_name": "W32/Pidgeon-A", "target": null }, { "id": "Variant.Zusy.151902", "display_name": "Variant.Zusy.151902", "target": null }, { "id": "trojan.mirai/fedr", "display_name": "trojan.mirai/fedr", "target": null }, { "id": "Win.Malware.Trojanx-9862538-0", "display_name": "Win.Malware.Trojanx-9862538-0", "target": null }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "virus.ramnit/nimnul", "display_name": "virus.ramnit/nimnul", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 351, "FileHash-SHA1": 349, "FileHash-SHA256": 3715, "domain": 3326, "hostname": 5200, "URL": 13151, "email": 9, "CVE": 7, "CIDR": 2 }, "indicator_count": 26110, "is_author": false, "is_subscribing": null, "subscriber_count": 248, "modified_text": "681 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66577ac0e1788e544c312e3f", "name": "Backdoor:MSIL/Noancooe.A | Network sniffing Lime bandit", "description": "Backdoor:MSIL/Noancooe.A: Backdoor arrives on a system as a file dropped by other malware or as a file downloaded giving malicious hackers unauthorized access and control of your PC.", "modified": "2024-06-28T18:00:33.800000", "created": "2024-05-29T18:58:08.465000", "tags": [ "algorithm", "full name", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "date", "code", "first", "server", "privacy notice", "aaaa", "google", "july", "xcitium verdict", "record type", "ttl value", "data", "name verdict", "falcon sandbox", "jpeg image", "jfif standard", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "ck matrix", "united", "et tor", "path", "mask", "hybrid", "generator", "local", "click", "strings", "union", "#metoo", "russell mcveagh", "grope", "moved", "civicaig", "now hiring", "apple", "unknown", "a domains", "passive dns", "urls", "creation date", "status", "search", "expiration date", "hong kong", "as133775 xiamen", "germany unknown", "scan endpoints", "all scoreblue", "body", "next", "hacking", "critical", "jailbreak", "m", "tech", "hit", "men", "sreredrum", "lime", "as24940 hetzner", "cname", "germany", "as16276", "domain", "spain unknown", "as31898 oracle", "as396982 google", "as5617 orange", "poland unknown", "as8881", "as19905", "msil", "kiwis", "sabey data centers", "nemtih", "attack tsara brashears", "t phone", "t mail", "t", "lakewood", "arvada", "jeff reimer dpt", "jeffrey scott", "lakeside", "grey st", "capture", "aquire", "aig", "sammie", "smith", "johnson", "xfinity", "whisper", "sky", "cybercrime", "true", "cyprus", "attack path", "pattern match" ], "references": [ "www.russellmcveagh.com - Law Firm (front?) Document Moved", "Russell McVeagh - New Zealand's leading commercial law firm, known as the go-to team for tackling complex legal problems.", "www.auth.civicalg.com.sni.cloudflaressl.com | civicalg.com", "It's all the same | AIG, Michael Roberts Rexxfield 'bounty hunter' Brian Sabey HallRender (?)", "This area is swarming with PI's (his , hers and theirs)", "Hired hackers to jailbreak and locate devices. Brute forces, business and personal devices, network attacked.", "Crime scene unit vans from different county.", "Front Range security guard w/unsolicited account of on premise hacker causeing outage. Why would he be 'in the know, or giving information?", "sonar.lg-nonprod.civicalg.com (dangerous) peneservice71.auth.civicalg.com, install.civicalg.com", "#MeToo - A former Russell McVeagh partner found guilty of \"disgraceful\" sexual misconduct at the heart of New Zealand's #MeToo movement.", "http://droid--apk-ru.webpkgcache.com/", "http://e.name/?C.push.apply | https://application.t.email/backscreen", "appleread.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:MSIL/Noancooe.A", "display_name": "Backdoor:MSIL/Noancooe.A", "target": "/malware/Backdoor:MSIL/Noancooe.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 695, "URL": 1111, "FileHash-MD5": 7, "FileHash-SHA1": 17, "FileHash-SHA256": 230, "domain": 643, "email": 9, "SSLCertFingerprint": 6 }, "indicator_count": 2718, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "701 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ssl580924.cloudflaressl.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ssl580924.cloudflaressl.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780243054.0282478 }