{ "type": "URL", "indicator": "https://whois.arin.net/rest/net/NET-64-252-128-0-1", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://whois.arin.net/rest/net/NET-64-252-128-0-1", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #6937", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain arin.net", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain arin.net", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4074614696, "indicator": "https://whois.arin.net/rest/net/NET-64-252-128-0-1", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69f2e790b5ca86510c384c2c", "name": "14.5k win[exe] comm, 14 ref, 89hxTrojans with ARINOPS -199.", "description": "[The following has been published on the website of the International Organization for the Prevention of Electronic Illness (IOC), which is based in the United States, and is subject to a security rev]\nCertificate before 8/20 expired. Client lost access to phone Aug 22-Sept 15 no reason given. Clients ADT alarm went of wehn sectigo cert expired Sept 8. Client went into Apple man in suit \"unlocked phone\" Sept 15. Was this a jailbreak?", "modified": "2026-05-30T05:18:49.034000", "created": "2026-04-30T05:24:32.866000", "tags": [ "win32", "trojan", "united", "as393225", "mtb may", "mtb mar", "passive dns", "ip address", "backdoor", "mtb apr", "url analysis", "level", "title", "mirai", "orgtechhandle", "arin operations", "orgnochandle", "kassim", "oneill", "michael j", "nethandle", "net199", "net1990000", "arinops", "address range", "cidr", "network name", "allocation type", "whois server", "entity arinops", "handle", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 215, "FileHash-SHA1": 178, "FileHash-SHA256": 594, "domain": 12, "CIDR": 60, "URL": 122, "hostname": 72, "email": 7, "CVE": 1 }, "indicator_count": 1261, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2e7933eca244995760f32", "name": "14.5k win[exe] comm, 14 ref, 89hxTrojans with ARINOPS -199.", "description": "[The following has been published on the website of the International Organization for the Prevention of Electronic Illness (IOC), which is based in the United States, and is subject to a security rev]\nCertificate before 8/20 expired. Client lost access to phone Aug 22-Sept 15 no reason given. Clients ADT alarm went of wehn sectigo cert expired Sept 8. Client went into Apple man in suit \"unlocked phone\" Sept 15. Was this a jailbreak?", "modified": "2026-05-30T05:18:49.034000", "created": "2026-04-30T05:24:35.619000", "tags": [ "win32", "trojan", "united", "as393225", "mtb may", "mtb mar", "passive dns", "ip address", "backdoor", "mtb apr", "url analysis", "level", "title", "mirai", "orgtechhandle", "arin operations", "orgnochandle", "kassim", "oneill", "michael j", "nethandle", "net199", "net1990000", "arinops", "address range", "cidr", "network name", "allocation type", "whois server", "entity arinops", "handle", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 152, "FileHash-SHA1": 153, "FileHash-SHA256": 495, "domain": 2, "CIDR": 1, "URL": 70, "hostname": 7, "email": 5 }, "indicator_count": 885, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6845e54bb82667ed18988fe5", "name": "Amazon -CF | Malicious autonomous system", "description": "Handle: AMAZON-4 Network Name: AMAZON-CF\n#DWactivity |\nWHO IS: \nAutonomous System Numbers\nAMAZON-AS\tAS7224 (AS7224)\nLABSHUB-NETWORKING\tAS10291 (AS10291)\nAMAZON-02\tAS16509 (AS16509)\nAWS-01\tAS19047 (AS19047)\nPRIME-TESTING\tAS63088 (AS63088)\n#malicious #rat #infection #auotonomous #virus #network #dns #intrusion #darkweb\n\n*issue with this great tool or possibly my network. Several IoC\u2019s deleted, I went back to retrieve IoC\u2019s from VT they were deleted and I had to do it all\nOver but conditions had changed.\nStill unable to annotate.", "modified": "2025-07-08T19:04:31.649000", "created": "2025-06-08T19:32:27.529000", "tags": [ "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "null", "refresh", "body", "span", "june", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "net3128001", "net3168001", "amazon", "technology", "zenbox", "domain", "r2dbox", "virustotal", "technology xn", "united", "unknown aaaa", "search", "emails", "servers", "moved", "registrar", "creation date", "name servers", "present may", "entries", "ip address", "present feb", "present jan", "aaaa", "status", "passive dns", "urls", "server", "asn16509", "amazon02", "general full", "url http", "reverse dns", "resource", "resource path", "size", "cloudfront", "request id", "expiration date", "record value", "name domain", "org microsoft", "microsoft way", "hostname add", "pulse submit", "pulse indicator", "url analysis", "amazon ec2", "abuse", "aws rpki", "management poc", "ip routing", "report abuse", "abuse poc", "aea8arin", "amazon web", "amazon aws", "service", "net1042531920", "net10425319201", "net108138001", "net108156002", "net130176002", "net13224002", "net13249001", "net1332002", "net1335001", "net143204002", "allocation", "certificate", "assignment", "po box", "learn", "name tactics", "suspicious", "informative", "command", "spawns", "found", "ck techniques", "evasion att", "status code", "body length", "b body", "headers server", "cloudfront date", "contentlength", "connection", "date sun", "defense evasion", "ta0005 command", "control ta0011", "catalog tree", "resolved ips", "cname", "nothing", "accept", "registry keys", "http", "port", "gmt ifnonematch", "info file", "network dropped", "shutdown", "range", "name amazoncf", "parent at88z", "net type", "as organization", "amazon4", "link https", "links arin", "submit url", "handle amazon4", "street", "ave city", "wa postal", "code", "country us", "related", "whoiswhoisrws", "arin search", "whoisrws" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 106, "FileHash-SHA1": 101, "FileHash-SHA256": 636, "URL": 786, "domain": 462, "hostname": 790, "CIDR": 82, "email": 16 }, "indicator_count": 2979, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Mirai" ], "industries": [], "unique_indicators": 4403 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/arin.net", "whois": "http://whois.domaintools.com/arin.net", "domain": "arin.net", "hostname": "whois.arin.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69f2e790b5ca86510c384c2c", "name": "14.5k win[exe] comm, 14 ref, 89hxTrojans with ARINOPS -199.", "description": "[The following has been published on the website of the International Organization for the Prevention of Electronic Illness (IOC), which is based in the United States, and is subject to a security rev]\nCertificate before 8/20 expired. Client lost access to phone Aug 22-Sept 15 no reason given. Clients ADT alarm went of wehn sectigo cert expired Sept 8. Client went into Apple man in suit \"unlocked phone\" Sept 15. Was this a jailbreak?", "modified": "2026-05-30T05:18:49.034000", "created": "2026-04-30T05:24:32.866000", "tags": [ "win32", "trojan", "united", "as393225", "mtb may", "mtb mar", "passive dns", "ip address", "backdoor", "mtb apr", "url analysis", "level", "title", "mirai", "orgtechhandle", "arin operations", "orgnochandle", "kassim", "oneill", "michael j", "nethandle", "net199", "net1990000", "arinops", "address range", "cidr", "network name", "allocation type", "whois server", "entity arinops", "handle", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 215, "FileHash-SHA1": 178, "FileHash-SHA256": 594, "domain": 12, "CIDR": 60, "URL": 122, "hostname": 72, "email": 7, "CVE": 1 }, "indicator_count": 1261, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2e7933eca244995760f32", "name": "14.5k win[exe] comm, 14 ref, 89hxTrojans with ARINOPS -199.", "description": "[The following has been published on the website of the International Organization for the Prevention of Electronic Illness (IOC), which is based in the United States, and is subject to a security rev]\nCertificate before 8/20 expired. Client lost access to phone Aug 22-Sept 15 no reason given. Clients ADT alarm went of wehn sectigo cert expired Sept 8. Client went into Apple man in suit \"unlocked phone\" Sept 15. Was this a jailbreak?", "modified": "2026-05-30T05:18:49.034000", "created": "2026-04-30T05:24:35.619000", "tags": [ "win32", "trojan", "united", "as393225", "mtb may", "mtb mar", "passive dns", "ip address", "backdoor", "mtb apr", "url analysis", "level", "title", "mirai", "orgtechhandle", "arin operations", "orgnochandle", "kassim", "oneill", "michael j", "nethandle", "net199", "net1990000", "arinops", "address range", "cidr", "network name", "allocation type", "whois server", "entity arinops", "handle", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 152, "FileHash-SHA1": 153, "FileHash-SHA256": 495, "domain": 2, "CIDR": 1, "URL": 70, "hostname": 7, "email": 5 }, "indicator_count": 885, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6845e54bb82667ed18988fe5", "name": "Amazon -CF | Malicious autonomous system", "description": "Handle: AMAZON-4 Network Name: AMAZON-CF\n#DWactivity |\nWHO IS: \nAutonomous System Numbers\nAMAZON-AS\tAS7224 (AS7224)\nLABSHUB-NETWORKING\tAS10291 (AS10291)\nAMAZON-02\tAS16509 (AS16509)\nAWS-01\tAS19047 (AS19047)\nPRIME-TESTING\tAS63088 (AS63088)\n#malicious #rat #infection #auotonomous #virus #network #dns #intrusion #darkweb\n\n*issue with this great tool or possibly my network. Several IoC\u2019s deleted, I went back to retrieve IoC\u2019s from VT they were deleted and I had to do it all\nOver but conditions had changed.\nStill unable to annotate.", "modified": "2025-07-08T19:04:31.649000", "created": "2025-06-08T19:32:27.529000", "tags": [ "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "null", "refresh", "body", "span", "june", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "net3128001", "net3168001", "amazon", "technology", "zenbox", "domain", "r2dbox", "virustotal", "technology xn", "united", "unknown aaaa", "search", "emails", "servers", "moved", "registrar", "creation date", "name servers", "present may", "entries", "ip address", "present feb", "present jan", "aaaa", "status", "passive dns", "urls", "server", "asn16509", "amazon02", "general full", "url http", "reverse dns", "resource", "resource path", "size", "cloudfront", "request id", "expiration date", "record value", "name domain", "org microsoft", "microsoft way", "hostname add", "pulse submit", "pulse indicator", "url analysis", "amazon ec2", "abuse", "aws rpki", "management poc", "ip routing", "report abuse", "abuse poc", "aea8arin", "amazon web", "amazon aws", "service", "net1042531920", "net10425319201", "net108138001", "net108156002", "net130176002", "net13224002", "net13249001", "net1332002", "net1335001", "net143204002", "allocation", "certificate", "assignment", "po box", "learn", "name tactics", "suspicious", "informative", "command", "spawns", "found", "ck techniques", "evasion att", "status code", "body length", "b body", "headers server", "cloudfront date", "contentlength", "connection", "date sun", "defense evasion", "ta0005 command", "control ta0011", "catalog tree", "resolved ips", "cname", "nothing", "accept", "registry keys", "http", "port", "gmt ifnonematch", "info file", "network dropped", "shutdown", "range", "name amazoncf", "parent at88z", "net type", "as organization", "amazon4", "link https", "links arin", "submit url", "handle amazon4", "street", "ave city", "wa postal", "code", "country us", "related", "whoiswhoisrws", "arin search", "whoisrws" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 106, "FileHash-SHA1": 101, "FileHash-SHA256": 636, "URL": 786, "domain": 462, "hostname": 790, "CIDR": 82, "email": 16 }, "indicator_count": 2979, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://whois.arin.net/rest/net/NET-64-252-128-0-1", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://whois.arin.net/rest/net/NET-64-252-128-0-1", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780285469.136915 }