{ "type": "URL", "indicator": "https://www.hostinger.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.hostinger.com/", "type": "url", "type_title": "URL", "validation": [ { "source": "majestic", "message": "Whitelisted domain hostinger.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3890673821, "indicator": "https://www.hostinger.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a4293d5bc5c915eac829e0", "name": "Ransom:Win32/Crowti.A : Android Windows | Win.Trojan.Simda CnC", "description": "", "modified": "2024-08-25T21:00:52.039000", "created": "2024-07-26T22:54:53.598000", "tags": [ "united", "unknown", "a domains", "accept", "link", "passive dns", "encrypt", "trmp", "ok server", "date", "meta", "whois lookup", "create date", "domain", "expiry date", "update date", "update", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "public key", "info", "key algorithm", "dns replication", "subdomains", "first", "historical ssl", "record type", "ttl value", "cname", "certificates", "show", "entries", "yara rule", "delete", "search", "intel", "ms windows", "copy", "binary file", "get updates", "write", "as44273 host", "redacted for", "moved", "record value", "as54113", "body", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "files", "ip address", "files ip", "address domain", "as61969 team", "germany unknown", "msie", "chrome", "precondition", "gmt content", "united kingdom", "as396982 google", "as8075", "ireland unknown", "as21301", "aaaa", "status", "sha1", "windows nt", "sha256", "size", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "span", "format", "click", "hybrid", "twitter", "generator", "tsvt", "strings", "download", "path", "contact", "suspicious", "invalid url", "open ports", "body html", "head title", "title head", "body h1", "reference", "bad request", "server", "version", "trojandropper", "ransom", "checkin", "ipv4", "trojan", "virtool", "http post", "theme directory", "without referer", "cycbot", "http response", "final url", "status code", "body length", "kb body", "headers server", "gmt etag", "gmt date", "referrer", "code signing", "serial number", "ca valid", "from", "valid", "valid usage", "verisign time", "stamping", "thumbprint", "class", "error", "info header", "name md5", "type", "language", "contained", "overlay", "gandi sas", "dynadot", "registrar", "dynadot inc", "cloudflare", "net technology", "corporation", "bigrock", "dynadot llc", "namecheap", "ip detections", "country", "contacted", "defense evasion", "access ta0006", "ta0009 command", "control ta0011", "impact ta0034", "impact ta0040", "ta0040", "samplepath", "pattern urls", "pattern domains", "memory pattern", "domains domain", "ip traffic", "typo squatting", "realteck audio", "phish", "mr windows", "partru", "goog mal", "android windows", "maze", "apple", "malware", "worm", "skynet", "microsoft", "trojan evader", "simda cnc", "showing", "filehash", "pulse pulses", "av detections", "ids detections", "delphi", "network", "crowdstrike" ], "references": [ "43.204.54.95 AS 16509 (AMAZON-02), http://r10.i.lencr.org/, www.maketrumppresidentagain.site", "trojan.shiz/razy: FileHash-SHA256 02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8", "trojan.shiz/razy | CS Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Benche", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan", "trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan", "trojan.shiz/razy | CS IDS: Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "trojan.shiz/razy | Capabilities Collection Log keystrokes via polling", "https://www.virustotal.com/gui/file/02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8/detection", "https://otx.alienvault.com/indicator/file/e6f8e2706058064d8f38d12923e52cec7a128218b39ca1fe60a2dde7ac3d158f | binary_yara mpress_2_xx_x86", "Ransom:Win32/Crowti.A: FileHash-SHA256 1ffa6a3f8844b5955fc5e7329a6fb766cc1f35b39201ceaf0bca282b5b0b8cf6", "Ransom:Win32/Crowti.A: FileHash-MD5 d34cf3663902900ddf46b937449472b9", "Ransom:Win32/Crowti.A: FileHash-SHA1 05a49b7502099932ff628ca5a8583397b7e2dca2", "VirTool:Win32/Injector: FileHash-SHA256 0806653f8af2e9c2530e453f8b1fea47f62f86b5b0b65487ddcfd014eea8e9fe", "VirTool:Win32/Injector: FileHash-MD5 baa1a920d33eee94e123f5dfb6bbe7456692e020d682ae45f0de66130f9ea0da", "VirTool:Win32/Injector: FileHash-SHA1 3e7124373729e9ec90ea1d01222bfdd84b0484e5", "BigRock: gadyzyh.com", "Matches rule ET INFO Namecheap URL", "POLICY Unsupported/Fake Internet Explorer Version MSIE 2", "Win.Trojan.Simda: FileHash-SHA256 0187e1392266fff224de9e3d3fbbe1a05cea8b823906ad27ff577c6e348f6e3b", "Win.Trojan.Simda: FileHash-SHA1 fec01e5e59034cafc2b1e95c23068e075f9dbe69", "Win.Trojan.Simda: FileHash-MD5 efe12fc770fb8647e22adb7f814666e7", "TEL:Win32/Qjwmonkey.A: FileHash-SHA256 30ffb056ad64037a918d80c120db5d0032b29feb7db97ed19824646381165a5d", "TEL:Win32/Qjwmonkey.A: FileHash-SHA1 51efdae4ba6bfec8e6f4ae2d7f6dc8cca42db1da", "TEL:Win32/Qjwmonkey.A: FileHash-MD5 535ce96e43fe532e1ddfd804dbde9c6a", "Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Tim Shelton, Nasreddine Bencherch", "Matches rule Windows Processes Suspicious Parent Directory by vburov" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Netherlands" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Upatre.E", "display_name": "TrojanDownloader:Win32/Upatre.E", "target": "/malware/TrojanDownloader:Win32/Upatre.E" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Win.Trojan.Simda", "display_name": "Win.Trojan.Simda", "target": null }, { "id": "TEL:Win32/Qjwmonkey.A", "display_name": "TEL:Win32/Qjwmonkey.A", "target": "/malware/TEL:Win32/Qjwmonkey.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 549, "domain": 1182, "hostname": 590, "URL": 961, "FileHash-SHA256": 2466, "FileHash-MD5": 562, "SSLCertFingerprint": 7, "email": 4 }, "indicator_count": 6321, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://waf.intelix.pl/957476/Chat/Script/Compatibility", "BigRock: gadyzyh.com", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Tim Shelton, Nasreddine Bencherch", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "Win.Trojan.Simda: FileHash-SHA1 fec01e5e59034cafc2b1e95c23068e075f9dbe69", "https://www.jelenia-gora.so.gov.pl/", "TEL:Win32/Qjwmonkey.A: FileHash-SHA256 30ffb056ad64037a918d80c120db5d0032b29feb7db97ed19824646381165a5d", "Win.Trojan.Simda: FileHash-SHA256 0187e1392266fff224de9e3d3fbbe1a05cea8b823906ad27ff577c6e348f6e3b", "trojan.shiz/razy | CS IDS: Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan", "https://otx.alienvault.com/indicator/file/e6f8e2706058064d8f38d12923e52cec7a128218b39ca1fe60a2dde7ac3d158f | binary_yara mpress_2_xx_x86", "https://www.jelenia-gora.sr.gov.pl/spacer", "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "TEL:Win32/Qjwmonkey.A: FileHash-SHA1 51efdae4ba6bfec8e6f4ae2d7f6dc8cca42db1da", "https://www.virustotal.com/gui/file/02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8/detection", "Matches rule Windows Processes Suspicious Parent Directory by vburov", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "VirTool:Win32/Injector: FileHash-SHA1 3e7124373729e9ec90ea1d01222bfdd84b0484e5", "Win.Trojan.Simda: FileHash-MD5 efe12fc770fb8647e22adb7f814666e7", "TEL:Win32/Qjwmonkey.A: FileHash-MD5 535ce96e43fe532e1ddfd804dbde9c6a", "trojan.shiz/razy: FileHash-SHA256 02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8", "43.204.54.95 AS 16509 (AMAZON-02), http://r10.i.lencr.org/, www.maketrumppresidentagain.site", "VirTool:Win32/Injector: FileHash-SHA256 0806653f8af2e9c2530e453f8b1fea47f62f86b5b0b65487ddcfd014eea8e9fe", "http://www.jelenia-gora.so.gov.pl/", "trojan.shiz/razy | Capabilities Collection Log keystrokes via polling", "Ransom:Win32/Crowti.A: FileHash-SHA1 05a49b7502099932ff628ca5a8583397b7e2dca2", "POLICY Unsupported/Fake Internet Explorer Version MSIE 2", "Ransom:Win32/Crowti.A: FileHash-MD5 d34cf3663902900ddf46b937449472b9", "VirTool:Win32/Injector: FileHash-MD5 baa1a920d33eee94e123f5dfb6bbe7456692e020d682ae45f0de66130f9ea0da", "Ransom:Win32/Crowti.A: FileHash-SHA256 1ffa6a3f8844b5955fc5e7329a6fb766cc1f35b39201ceaf0bca282b5b0b8cf6", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "Matches rule ET INFO Namecheap URL", "trojan.shiz/razy | CS Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Benche", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "", "Cycbot", "Virtool:win32/injector", "Ransom:win32/crowti.a", "Win.trojan.simda", "Serwer", "Tel:win32/qjwmonkey.a", "Trojandownloader:win32/upatre.e" ], "industries": [], "unique_indicators": 114892 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/hostinger.com", "whois": "http://whois.domaintools.com/hostinger.com", "domain": "hostinger.com", "hostname": "www.hostinger.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a4293d5bc5c915eac829e0", "name": "Ransom:Win32/Crowti.A : Android Windows | Win.Trojan.Simda CnC", "description": "", "modified": "2024-08-25T21:00:52.039000", "created": "2024-07-26T22:54:53.598000", "tags": [ "united", "unknown", "a domains", "accept", "link", "passive dns", "encrypt", "trmp", "ok server", "date", "meta", "whois lookup", "create date", "domain", "expiry date", "update date", "update", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "public key", "info", "key algorithm", "dns replication", "subdomains", "first", "historical ssl", "record type", "ttl value", "cname", "certificates", "show", "entries", "yara rule", "delete", "search", "intel", "ms windows", "copy", "binary file", "get updates", "write", "as44273 host", "redacted for", "moved", "record value", "as54113", "body", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "files", "ip address", "files ip", "address domain", "as61969 team", "germany unknown", "msie", "chrome", "precondition", "gmt content", "united kingdom", "as396982 google", "as8075", "ireland unknown", "as21301", "aaaa", "status", "sha1", "windows nt", "sha256", "size", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "span", "format", "click", "hybrid", "twitter", "generator", "tsvt", "strings", "download", "path", "contact", "suspicious", "invalid url", "open ports", "body html", "head title", "title head", "body h1", "reference", "bad request", "server", "version", "trojandropper", "ransom", "checkin", "ipv4", "trojan", "virtool", "http post", "theme directory", "without referer", "cycbot", "http response", "final url", "status code", "body length", "kb body", "headers server", "gmt etag", "gmt date", "referrer", "code signing", "serial number", "ca valid", "from", "valid", "valid usage", "verisign time", "stamping", "thumbprint", "class", "error", "info header", "name md5", "type", "language", "contained", "overlay", "gandi sas", "dynadot", "registrar", "dynadot inc", "cloudflare", "net technology", "corporation", "bigrock", "dynadot llc", "namecheap", "ip detections", "country", "contacted", "defense evasion", "access ta0006", "ta0009 command", "control ta0011", "impact ta0034", "impact ta0040", "ta0040", "samplepath", "pattern urls", "pattern domains", "memory pattern", "domains domain", "ip traffic", "typo squatting", "realteck audio", "phish", "mr windows", "partru", "goog mal", "android windows", "maze", "apple", "malware", "worm", "skynet", "microsoft", "trojan evader", "simda cnc", "showing", "filehash", "pulse pulses", "av detections", "ids detections", "delphi", "network", "crowdstrike" ], "references": [ "43.204.54.95 AS 16509 (AMAZON-02), http://r10.i.lencr.org/, www.maketrumppresidentagain.site", "trojan.shiz/razy: FileHash-SHA256 02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8", "trojan.shiz/razy | CS Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Benche", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan", "trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan", "trojan.shiz/razy | CS IDS: Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "trojan.shiz/razy | Capabilities Collection Log keystrokes via polling", "https://www.virustotal.com/gui/file/02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8/detection", "https://otx.alienvault.com/indicator/file/e6f8e2706058064d8f38d12923e52cec7a128218b39ca1fe60a2dde7ac3d158f | binary_yara mpress_2_xx_x86", "Ransom:Win32/Crowti.A: FileHash-SHA256 1ffa6a3f8844b5955fc5e7329a6fb766cc1f35b39201ceaf0bca282b5b0b8cf6", "Ransom:Win32/Crowti.A: FileHash-MD5 d34cf3663902900ddf46b937449472b9", "Ransom:Win32/Crowti.A: FileHash-SHA1 05a49b7502099932ff628ca5a8583397b7e2dca2", "VirTool:Win32/Injector: FileHash-SHA256 0806653f8af2e9c2530e453f8b1fea47f62f86b5b0b65487ddcfd014eea8e9fe", "VirTool:Win32/Injector: FileHash-MD5 baa1a920d33eee94e123f5dfb6bbe7456692e020d682ae45f0de66130f9ea0da", "VirTool:Win32/Injector: FileHash-SHA1 3e7124373729e9ec90ea1d01222bfdd84b0484e5", "BigRock: gadyzyh.com", "Matches rule ET INFO Namecheap URL", "POLICY Unsupported/Fake Internet Explorer Version MSIE 2", "Win.Trojan.Simda: FileHash-SHA256 0187e1392266fff224de9e3d3fbbe1a05cea8b823906ad27ff577c6e348f6e3b", "Win.Trojan.Simda: FileHash-SHA1 fec01e5e59034cafc2b1e95c23068e075f9dbe69", "Win.Trojan.Simda: FileHash-MD5 efe12fc770fb8647e22adb7f814666e7", "TEL:Win32/Qjwmonkey.A: FileHash-SHA256 30ffb056ad64037a918d80c120db5d0032b29feb7db97ed19824646381165a5d", "TEL:Win32/Qjwmonkey.A: FileHash-SHA1 51efdae4ba6bfec8e6f4ae2d7f6dc8cca42db1da", "TEL:Win32/Qjwmonkey.A: FileHash-MD5 535ce96e43fe532e1ddfd804dbde9c6a", "Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Tim Shelton, Nasreddine Bencherch", "Matches rule Windows Processes Suspicious Parent Directory by vburov" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Netherlands" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Upatre.E", "display_name": "TrojanDownloader:Win32/Upatre.E", "target": "/malware/TrojanDownloader:Win32/Upatre.E" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Win.Trojan.Simda", "display_name": "Win.Trojan.Simda", "target": null }, { "id": "TEL:Win32/Qjwmonkey.A", "display_name": "TEL:Win32/Qjwmonkey.A", "target": "/malware/TEL:Win32/Qjwmonkey.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 549, "domain": 1182, "hostname": 590, "URL": 961, "FileHash-SHA256": 2466, "FileHash-MD5": 562, "SSLCertFingerprint": 7, "email": 4 }, "indicator_count": 6321, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.hostinger.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.hostinger.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776616779.4691706 }