{ "type": "URL", "indicator": "https://test.dxp.toldst.dk", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://test.dxp.toldst.dk", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4096411856, "indicator": "https://test.dxp.toldst.dk", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6967bc8b26b69d4dc2604a13", "name": "Telegram@V2ray_Alpha/ | Mirai | ExhoBot CNC | EtT", "description": "Inbound Outbound connections. Tel et error. Hacking activity affecting various forms of connectivity via telecom. Possibly a controls\n computer vehicle connects to. Related? I was researching increased malicious activity aimed against a target. An associate close to target reported (mid research) Vehicle reported \u2018no longer being able to communicate. Module 5 has an error. Please contact customer service). Targets car was powered oof. No Bluetooth connection. No reports. Audio off. No phone message, connection or dial. This is targets experience not mowing what I was researching.", "modified": "2026-02-13T15:04:30.631000", "created": "2026-01-14T15:55:55.693000", "tags": [ "v2rayalpha", "united", "unknown ns", "unknown aaaa", "domain add", "urls", "files", "domain", "github", "file format", "jkvpn", "jointelegram", "farahvpn vless", "post", "universal", "scribd", "typews", "telegram", "rdap", "handle", "iana registrar", "roles", "dnssec", "aaaa", "ttl value", "rdap database", "links", "backdoor", "antigua", "virgin islands", "status", "org domains", "proxy", "ip address", "barbuda unknown", "passive dns", "ipv4 add", "twitter", "dynamicloader", "port", "delete c", "destination", "high", "windows", "medium", "displayname", "write", "tofsee", "stream", "malware", "push", "next", "url add", "http", "hostname", "files domain", "files related", "related tags", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ck techniques", "evasion att", "sha256", "sha1", "pattern match", "ascii text", "href", "hybrid", "general", "local", "path", "click", "strings", "search", "moved", "record value", "servers", "title", "encrypt", "canada unknown", "gmt content", "reverse dns", "location canada", "canada asn", "accept", "cookie", "dll read", "function read", "wscriptshell", "shortcut", "guard", "error", "present jan", "name servers", "registrar url", "hong kong", "invalid url", "url analysis", "location hong", "kong flag", "msie", "chrome", "type", "media type", "certificate", "hostname add", "present nov", "present sep", "present oct", "expiration date", "present dec", "script urls", "a domains", "present mar", "present feb", "meta", "show", "read c", "entries", "read", "intel", "ms windows", "delete", "please", "artemis", "virustotal", "trojan", "mcafee", "drweb", "vipre", "panda", "write c", "total", "next associated", "thursday", "gmt cache", "ipv4", "form", "date", "mirai", "telnet login", "south korea", "bad login", "as4766 korea", "taiwan as3462", "china as45090", "telnet root", "cve201717215", "execution", "copy", "contacted", "mtb ids", "dns query", "variant cnc", "domain huawei", "remote command", "huawei remote", "echobot", "linux mirai", "monitoring", "cnc" ], "references": [ "https://pamchall.com/Telegram@V2ray_Alpha/", "Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net", "https://t.me/", "Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Cabinet_Archive , SFX_CAB", "ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile", "Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB", "IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)", "Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "Huawei HG532 RCE Vulnerability (CVE-2017-17215)", "DYNAMIC_DNS Query to *.duckdns. Domain", "SUSPICIOUS Path to BusyBox HiSilicon DVR - Default", "Telnet Root Password Inbound TELNET login failed root login Bad Login Less", "Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT", "dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout", "IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202", "IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227", "Contacted: newmethcnc.duckdns.org", "https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e", "https://eurotarget.com/it/auto/toyota/c-hr/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Reline-9887776-0", "display_name": "Win.Malware.Reline-9887776-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Backdoor:Linux/Mirai.N!MTB", "display_name": "Backdoor:Linux/Mirai.N!MTB", "target": "/malware/Backdoor:Linux/Mirai.N!MTB" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1011.001", "name": "Exfiltration Over Bluetooth", "display_name": "T1011.001 - Exfiltration Over Bluetooth" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" } ], "industries": [ "Telecom" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6227, "domain": 1437, "hostname": 2331, "email": 8, "FileHash-SHA256": 3252, "FileHash-MD5": 465, "FileHash-SHA1": 457, "CIDR": 1, "CVE": 3 }, "indicator_count": 14181, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6964c08bf79bcb252eaa9e15", "name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers", "description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks", "modified": "2026-02-11T09:03:20.933000", "created": "2026-01-12T09:36:11.701000", "tags": [ "google", "fastly", "googlecl", "january", "http", "domain", "akamaias", "cloudflar", "page url", "de summary", "april", "reverse dns", "url https", "general full", "software", "united", "resource hash", "protocol h3", "security quic", "protocol h2", "security tls", "main", "present jan", "title", "gmt max", "certificate", "moved", "lowfi", "gmt content", "meta", "present dec", "status", "aaaa", "passive dns", "urls", "search", "expiration date", "win32", "files", "verdict", "files ip", "address", "mtb jan", "trojandropper", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "worm", "trojan", "ip address", "record value", "dark", "found", "ipv4 add", "error", "trojanspy", "emails", "servers", "pegasus", "america flag", "america asn", "tlsv1", "read c", "show", "medium", "lstockholm", "ospotify ab", "odigicert inc", "execution", "next", "dock", "write", "persistence", "dynamicloader", "yara rule", "ms windows", "pe32", "named pipe", "smartassembly", "delphi", "malware", "united states", "pe file", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "high", "write c", "tls sni", "tls handshake", "delete", "as15169", "stun binding", "request", "port", "win64", "themida", "guard", "risepro", "sha256", "sha1", "pattern match", "ascii text", "size", "mitre att", "ck id", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "learn", "command", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "directui", "element", "hwndhost", "classinfobase", "hwndelement", "value", "explorer", "insert", "movie", "hacktool", "showing", "entries http", "scans show", "california", "location united", "next associated", "pulse pulses", "name servers", "found request", "unique", "url add", "related nids", "files location", "expiration", "flag united", "present nov", "present sep", "href", "suricata stream", "command decode", "starfield", "encrypt", "iframe", "date", "title error", "hostname", "pulse submit", "memcommit", "checks", "windows", "capture", "cloudfront", "colorado", "creation date", "hostname add", "eset", "binary file", "pdb path", "internalname", "nod32", "amon" ], "references": [ "open.spotify.com \u2022", "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2", "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2", "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com", "https://target.tccwest.www.littleswimmers.fr/", "www.onyx-ware.com \u2022 endgamesystems.com", "cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "TrojanSpy:MSIL/Yakbeex.A", "display_name": "TrojanSpy:MSIL/Yakbeex.A", "target": "/malware/TrojanSpy:MSIL/Yakbeex.A" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32:HacktoolX-gen\\ [Trj]", "display_name": "Win32:HacktoolX-gen\\ [Trj]", "target": null }, { "id": "nUFS_unicode", "display_name": "nUFS_unicode", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "Win.Dropper.PoisonIvy-9876745-0", "display_name": "Win.Dropper.PoisonIvy-9876745-0", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Entertainment", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1293, "URL": 3389, "FileHash-MD5": 635, "FileHash-SHA1": 531, "FileHash-SHA256": 2345, "domain": 501, "email": 12, "SSLCertFingerprint": 16 }, "indicator_count": 8722, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687b5499d48de6e54f3bff11", "name": "213.174.130.70 - Spyware Install | Emotet via Malware sites", "description": "Malicious IP address for multiple malware domains. Very malicious spyware, will hijack network and devices. \n\u2022 Best Targeted sites \nSpyware Install\n\u2022 Garveep POST CnC\nBeacon\n\u2022 Worm.Mydoom\nCheckin\n\n#endgame #emotet #mydoom #malware_domains #install_spyware #monitered_targets", "modified": "2025-08-18T08:00:43.712000", "created": "2025-07-19T08:17:29.443000", "tags": [ "handle", "ripe ncc", "ripe network", "address range", "cidr", "allocation type", "assigned pa", "status", "whois server", "entity ah36ripe", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "date", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "seen", "update date", "tech email", "admin country", "expiration date", "dnssec", "admin id", "mi11255597wp", "msie", "chrome", "passive dns", "united", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "hosting", "open", "body", "extraction", "data upload", "failed", "include review", "anorexx", "video", "father sex", "ebony riding", "ebony", "roberta", "type win32", "exe size", "mb first", "file name", "sentinelone", "present jul", "present oct", "entries http", "memcommit", "t1055", "read c", "search", "entries", "show", "medium", "showing", "high process", "injection t1055", "copy", "write", "win32", "malware", "tsara brashears", "tsara", "pornhub", "porn videos", "watch tsara", "most relevant", "open threat", "exchange", "public", "https", "green", "daily", "brashears", "porn", "watch", "busty xxx", "filter tsara", "brashears porn", "url add", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "md5 sha256", "google safe", "browsing", "dynamicloader", "dynamic", "read", "delete", "mtb apr", "trojan", "lowfi", "virtool", "icloader apr", "otx telemetry", "australia", "exploit", "cobalt strike", "hostile", "trojanspy", "msil", "win64", "pulse", "alerts", "yara rule", "named pipe", "xe7xf3xf2x14x9d", "high", "delphi", "local", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "defense evasion", "adversaries", "spawns", "found", "process details", "flag", "contacted", "meta", "location united", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "beginstring", "null", "type data", "error", "span", "hybrid", "general", "click", "strings", "refresh", "tools", "pattern match", "show technique", "mitre att", "ck matrix", "ascii text", "show process", "utf8", "crlf line", "network traffic", "path", "included", "review", "excludea", "sugges data", "typ url", "url url", "url hos", "hos hos", "extraction f", "enter so", "u extractio", "extra data", "included review", "ic excluded", "suggeste", "pulses", "md5 google", "safe browsing", "virustotal api", "comments", "ally s", "extraction data", "enter soudcfidi", "ad temdac", "cddad ad", "praw type", "extr", "include u", "creation date", "record value", "gmt content", "x adblock", "certificate", "domain", "encrypt", "sec ch", "ch ua", "unknown aaaa", "ua full", "ua platform", "present jun", "moved", "ip address", "doctype html", "lander script", "head", "method", "allowed date", "arizona", "scottsdale", "go daddy", "authority", "next associated", "extraction fail", "enter soupce", "udi ad", "trydda dada", "panca type", "ur extraction", "s data", "pr extract", "servers", "hostname", "files ip", "denmark unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "URL": 7528, "domain": 1822, "hostname": 2015, "email": 5, "FileHash-MD5": 373, "FileHash-SHA1": 363, "FileHash-SHA256": 1939 }, "indicator_count": 14049, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net", "Telnet Root Password Inbound TELNET login failed root login Bad Login Less", "Huawei HG532 RCE Vulnerability (CVE-2017-17215)", "DYNAMIC_DNS Query to *.duckdns. Domain", "www.onyx-ware.com \u2022 endgamesystems.com", "IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)", "Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227", "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2", "https://t.me/", "SUSPICIOUS Path to BusyBox HiSilicon DVR - Default", "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com", "Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB", "https://pamchall.com/Telegram@V2ray_Alpha/", "https://target.tccwest.www.littleswimmers.fr/", "Yara Detections: Cabinet_Archive , SFX_CAB", "https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e", "https://eurotarget.com/it/auto/toyota/c-hr/", "ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile", "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2", "Contacted: newmethcnc.duckdns.org", "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "open.spotify.com \u2022", "Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT", "Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Win32/Tofsee.AX google.com connectivity check", "IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202", "dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Pegasus", "Backdoor:win32/tofsee.t", "Win.packed.generic-9967832-0", "Trojanspy", "Hacktool:win32/cobaltstrike.a", "Trojan:win32/zombie.a", "Nufs_unicode", "Win.dropper.poisonivy-9876745-0", "Win.malware.reline-9887776-0", "Backdoor:linux/mirai.n!mtb", "Win32:hacktoolx-gen\\ [trj]", "Win.packed.stealerc-10017074-0", "Win.trojan.barys-10005825-0", "#lowfi:win32/autoit", "Mirai", "Trojanspy:msil/yakbeex.a", "Mirai (elf)" ], "industries": [ "Technology", "Telecom", "Entertainment" ], "unique_indicators": 36696 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/toldst.dk", "whois": "http://whois.domaintools.com/toldst.dk", "domain": "toldst.dk", "hostname": "test.dxp.toldst.dk" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6967bc8b26b69d4dc2604a13", "name": "Telegram@V2ray_Alpha/ | Mirai | ExhoBot CNC | EtT", "description": "Inbound Outbound connections. Tel et error. Hacking activity affecting various forms of connectivity via telecom. Possibly a controls\n computer vehicle connects to. Related? I was researching increased malicious activity aimed against a target. An associate close to target reported (mid research) Vehicle reported \u2018no longer being able to communicate. Module 5 has an error. Please contact customer service). Targets car was powered oof. No Bluetooth connection. No reports. Audio off. No phone message, connection or dial. This is targets experience not mowing what I was researching.", "modified": "2026-02-13T15:04:30.631000", "created": "2026-01-14T15:55:55.693000", "tags": [ "v2rayalpha", "united", "unknown ns", "unknown aaaa", "domain add", "urls", "files", "domain", "github", "file format", "jkvpn", "jointelegram", "farahvpn vless", "post", "universal", "scribd", "typews", "telegram", "rdap", "handle", "iana registrar", "roles", "dnssec", "aaaa", "ttl value", "rdap database", "links", "backdoor", "antigua", "virgin islands", "status", "org domains", "proxy", "ip address", "barbuda unknown", "passive dns", "ipv4 add", "twitter", "dynamicloader", "port", "delete c", "destination", "high", "windows", "medium", "displayname", "write", "tofsee", "stream", "malware", "push", "next", "url add", "http", "hostname", "files domain", "files related", "related tags", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ck techniques", "evasion att", "sha256", "sha1", "pattern match", "ascii text", "href", "hybrid", "general", "local", "path", "click", "strings", "search", "moved", "record value", "servers", "title", "encrypt", "canada unknown", "gmt content", "reverse dns", "location canada", "canada asn", "accept", "cookie", "dll read", "function read", "wscriptshell", "shortcut", "guard", "error", "present jan", "name servers", "registrar url", "hong kong", "invalid url", "url analysis", "location hong", "kong flag", "msie", "chrome", "type", "media type", "certificate", "hostname add", "present nov", "present sep", "present oct", "expiration date", "present dec", "script urls", "a domains", "present mar", "present feb", "meta", "show", "read c", "entries", "read", "intel", "ms windows", "delete", "please", "artemis", "virustotal", "trojan", "mcafee", "drweb", "vipre", "panda", "write c", "total", "next associated", "thursday", "gmt cache", "ipv4", "form", "date", "mirai", "telnet login", "south korea", "bad login", "as4766 korea", "taiwan as3462", "china as45090", "telnet root", "cve201717215", "execution", "copy", "contacted", "mtb ids", "dns query", "variant cnc", "domain huawei", "remote command", "huawei remote", "echobot", "linux mirai", "monitoring", "cnc" ], "references": [ "https://pamchall.com/Telegram@V2ray_Alpha/", "Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net", "https://t.me/", "Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Cabinet_Archive , SFX_CAB", "ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile", "Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB", "IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)", "Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "Huawei HG532 RCE Vulnerability (CVE-2017-17215)", "DYNAMIC_DNS Query to *.duckdns. Domain", "SUSPICIOUS Path to BusyBox HiSilicon DVR - Default", "Telnet Root Password Inbound TELNET login failed root login Bad Login Less", "Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT", "dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout", "IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202", "IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227", "Contacted: newmethcnc.duckdns.org", "https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e", "https://eurotarget.com/it/auto/toyota/c-hr/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Reline-9887776-0", "display_name": "Win.Malware.Reline-9887776-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Backdoor:Linux/Mirai.N!MTB", "display_name": "Backdoor:Linux/Mirai.N!MTB", "target": "/malware/Backdoor:Linux/Mirai.N!MTB" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1011.001", "name": "Exfiltration Over Bluetooth", "display_name": "T1011.001 - Exfiltration Over Bluetooth" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" } ], "industries": [ "Telecom" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6227, "domain": 1437, "hostname": 2331, "email": 8, "FileHash-SHA256": 3252, "FileHash-MD5": 465, "FileHash-SHA1": 457, "CIDR": 1, "CVE": 3 }, "indicator_count": 14181, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6964c08bf79bcb252eaa9e15", "name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers", "description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks", "modified": "2026-02-11T09:03:20.933000", "created": "2026-01-12T09:36:11.701000", "tags": [ "google", "fastly", "googlecl", "january", "http", "domain", "akamaias", "cloudflar", "page url", "de summary", "april", "reverse dns", "url https", "general full", "software", "united", "resource hash", "protocol h3", "security quic", "protocol h2", "security tls", "main", "present jan", "title", "gmt max", "certificate", "moved", "lowfi", "gmt content", "meta", "present dec", "status", "aaaa", "passive dns", "urls", "search", "expiration date", "win32", "files", "verdict", "files ip", "address", "mtb jan", "trojandropper", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "worm", "trojan", "ip address", "record value", "dark", "found", "ipv4 add", "error", "trojanspy", "emails", "servers", "pegasus", "america flag", "america asn", "tlsv1", "read c", "show", "medium", "lstockholm", "ospotify ab", "odigicert inc", "execution", "next", "dock", "write", "persistence", "dynamicloader", "yara rule", "ms windows", "pe32", "named pipe", "smartassembly", "delphi", "malware", "united states", "pe file", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "high", "write c", "tls sni", "tls handshake", "delete", "as15169", "stun binding", "request", "port", "win64", "themida", "guard", "risepro", "sha256", "sha1", "pattern match", "ascii text", "size", "mitre att", "ck id", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "learn", "command", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "directui", "element", "hwndhost", "classinfobase", "hwndelement", "value", "explorer", "insert", "movie", "hacktool", "showing", "entries http", "scans show", "california", "location united", "next associated", "pulse pulses", "name servers", "found request", "unique", "url add", "related nids", "files location", "expiration", "flag united", "present nov", "present sep", "href", "suricata stream", "command decode", "starfield", "encrypt", "iframe", "date", "title error", "hostname", "pulse submit", "memcommit", "checks", "windows", "capture", "cloudfront", "colorado", "creation date", "hostname add", "eset", "binary file", "pdb path", "internalname", "nod32", "amon" ], "references": [ "open.spotify.com \u2022", "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2", "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2", "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com", "https://target.tccwest.www.littleswimmers.fr/", "www.onyx-ware.com \u2022 endgamesystems.com", "cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "TrojanSpy:MSIL/Yakbeex.A", "display_name": "TrojanSpy:MSIL/Yakbeex.A", "target": "/malware/TrojanSpy:MSIL/Yakbeex.A" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32:HacktoolX-gen\\ [Trj]", "display_name": "Win32:HacktoolX-gen\\ [Trj]", "target": null }, { "id": "nUFS_unicode", "display_name": "nUFS_unicode", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "Win.Dropper.PoisonIvy-9876745-0", "display_name": "Win.Dropper.PoisonIvy-9876745-0", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Entertainment", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1293, "URL": 3389, "FileHash-MD5": 635, "FileHash-SHA1": 531, "FileHash-SHA256": 2345, "domain": 501, "email": 12, "SSLCertFingerprint": 16 }, "indicator_count": 8722, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687b5499d48de6e54f3bff11", "name": "213.174.130.70 - Spyware Install | Emotet via Malware sites", "description": "Malicious IP address for multiple malware domains. Very malicious spyware, will hijack network and devices. \n\u2022 Best Targeted sites \nSpyware Install\n\u2022 Garveep POST CnC\nBeacon\n\u2022 Worm.Mydoom\nCheckin\n\n#endgame #emotet #mydoom #malware_domains #install_spyware #monitered_targets", "modified": "2025-08-18T08:00:43.712000", "created": "2025-07-19T08:17:29.443000", "tags": [ "handle", "ripe ncc", "ripe network", "address range", "cidr", "allocation type", "assigned pa", "status", "whois server", "entity ah36ripe", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "date", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "seen", "update date", "tech email", "admin country", "expiration date", "dnssec", "admin id", "mi11255597wp", "msie", "chrome", "passive dns", "united", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "hosting", "open", "body", "extraction", "data upload", "failed", "include review", "anorexx", "video", "father sex", "ebony riding", "ebony", "roberta", "type win32", "exe size", "mb first", "file name", "sentinelone", "present jul", "present oct", "entries http", "memcommit", "t1055", "read c", "search", "entries", "show", "medium", "showing", "high process", "injection t1055", "copy", "write", "win32", "malware", "tsara brashears", "tsara", "pornhub", "porn videos", "watch tsara", "most relevant", "open threat", "exchange", "public", "https", "green", "daily", "brashears", "porn", "watch", "busty xxx", "filter tsara", "brashears porn", "url add", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "md5 sha256", "google safe", "browsing", "dynamicloader", "dynamic", "read", "delete", "mtb apr", "trojan", "lowfi", "virtool", "icloader apr", "otx telemetry", "australia", "exploit", "cobalt strike", "hostile", "trojanspy", "msil", "win64", "pulse", "alerts", "yara rule", "named pipe", "xe7xf3xf2x14x9d", "high", "delphi", "local", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "defense evasion", "adversaries", "spawns", "found", "process details", "flag", "contacted", "meta", "location united", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "beginstring", "null", "type data", "error", "span", "hybrid", "general", "click", "strings", "refresh", "tools", "pattern match", "show technique", "mitre att", "ck matrix", "ascii text", "show process", "utf8", "crlf line", "network traffic", "path", "included", "review", "excludea", "sugges data", "typ url", "url url", "url hos", "hos hos", "extraction f", "enter so", "u extractio", "extra data", "included review", "ic excluded", "suggeste", "pulses", "md5 google", "safe browsing", "virustotal api", "comments", "ally s", "extraction data", "enter soudcfidi", "ad temdac", "cddad ad", "praw type", "extr", "include u", "creation date", "record value", "gmt content", "x adblock", "certificate", "domain", "encrypt", "sec ch", "ch ua", "unknown aaaa", "ua full", "ua platform", "present jun", "moved", "ip address", "doctype html", "lander script", "head", "method", "allowed date", "arizona", "scottsdale", "go daddy", "authority", "next associated", "extraction fail", "enter soupce", "udi ad", "trydda dada", "panca type", "ur extraction", "s data", "pr extract", "servers", "hostname", "files ip", "denmark unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "URL": 7528, "domain": 1822, "hostname": 2015, "email": 5, "FileHash-MD5": 373, "FileHash-SHA1": 363, "FileHash-SHA256": 1939 }, "indicator_count": 14049, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://test.dxp.toldst.dk", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://test.dxp.toldst.dk", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641829.5938509 }