{ "type": "URL", "indicator": "https://www.tm2.cat/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.tm2.cat/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3948073920, "indicator": "https://www.tm2.cat/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "66eeef55e2c1ec3a4fa60ef4", "name": "Android", "description": "", "modified": "2024-10-25T00:05:34.912000", "created": "2024-09-21T16:07:49.763000", "tags": [ "read c", "write c", "create c", "delete c", "process32nextw", "langchinese", "search", "regsetvalueexa", "medium", "show", "trojan", "malware", "copy", "write", "win32", "tools", "persistence", "execution", "local", "next", "count", "august", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "http", "domain", "passive dns", "urls", "files related", "pulses otx", "unknown", "cname", "files", "ip address", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "france", "nxdomain", "ns nxdomain", "aaaa nxdomain", "name servers", "soa nxdomain", "moved", "creation date", "date", "body", "aaaa", "asnone belgium", "united kingdom", "as16276 ovh", "sha256", "maltaterfb", "showing", "total", "read", "delete", "default", "systemroot", "high", "virtool", "virustotal", "hacktool", "drweb", "vipre", "panda", "et trojan", "msie", "windows nt", "entries", "ascii text", "intel", "ms windows", "salicode", "emails", "expiration date", "france unknown", "taskmail", "task3dmail", "capspdf1", "mboxinbox", "actionshow", "twitter", "canada unknown", "error", "ipv4", "backend", "alfper", "gmt contenttype", "gmt server", "apache", "exploit", "hostname", "dynamicloader", "yara rule", "delivery", "alpha criteria", "inno setup", "format", "june", "stack", "dummy", "overview domain", "pulses", "tags", "related tags", "google safe", "browsing", "record type", "ttl value", "status", "united", "asnone united", "record value", "trojanproxy", "servers", "as15169 google", "for privacy", "domains ii", "ransom", "checks", "bios", "cpu name", "dynamic", "filehash", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "technology", "dns replication", "system label", "cloudflarenet", "apnic", "south brisbane", "asia pacific", "apnic whois", "po box", "cordelia st", "comment", "apnic research", "nethandle", "arin", "andariel", "yara detections", "malware traffic", "nids", "icmp traffic", "dns query", "tcp syn", "resolverror", "externalport", "internalport", "http headers", "home network", "pulse submit", "url analysis", "mitre att", "ta0002 shared", "modules t1129", "windows", "ta0004 access", "t1134", "defense evasion", "xor encrypt", "rc4 prga", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "ob0005 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "hashes c2ae", "capa", "cape sandbox", "lastline", "microsoft", "memory pattern", "dns resolutions", "ip traffic", "urls tcp", "tiger rat", "hi", "helping sabey" ], "references": [ "Andariel Backdoor Activity (Checkin)", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media", "Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Tonmye", "display_name": "Trojan:Win32/Tonmye", "target": "/malware/Trojan:Win32/Tonmye" }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "VirTool:Win32/CeeInject.GF", "display_name": "VirTool:Win32/CeeInject.GF", "target": "/malware/VirTool:Win32/CeeInject.GF" }, { "id": "ALFPER:PUA:Win32/InstallCore", "display_name": "ALFPER:PUA:Win32/InstallCore", "target": null }, { "id": "Trojan:Win32/Tonmye!rfn", "display_name": "Trojan:Win32/Tonmye!rfn", "target": "/malware/Trojan:Win32/Tonmye!rfn" }, { "id": "Ransom:Win32/Ako", "display_name": "Ransom:Win32/Ako", "target": "/malware/Ransom:Win32/Ako" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ARIN", "display_name": "ARIN", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Trojan[APT]/Win32.Lazarus", "display_name": "Trojan[APT]/Win32.Lazarus", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": "66ebda7ebbe759bb12cebd4a", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MayDay23", "id": "292773", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 889, "FileHash-SHA1": 817, "FileHash-SHA256": 3623, "domain": 755, "SSLCertFingerprint": 1, "URL": 396, "hostname": 732, "email": 14, "CVE": 3, "CIDR": 2 }, "indicator_count": 7232, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67176428e4871c2726288178", "name": "Android", "description": "", "modified": "2024-10-25T00:05:34.912000", "created": "2024-10-22T08:36:56.514000", "tags": [ "read c", "write c", "create c", "delete c", "process32nextw", "langchinese", "search", "regsetvalueexa", "medium", "show", "trojan", "malware", "copy", "write", "win32", "tools", "persistence", "execution", "local", "next", "count", "august", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "http", "domain", "passive dns", "urls", "files related", "pulses otx", "unknown", "cname", "files", "ip address", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "france", "nxdomain", "ns nxdomain", "aaaa nxdomain", "name servers", "soa nxdomain", "moved", "creation date", "date", "body", "aaaa", "asnone belgium", "united kingdom", "as16276 ovh", "sha256", "maltaterfb", "showing", "total", "read", "delete", "default", "systemroot", "high", "virtool", "virustotal", "hacktool", "drweb", "vipre", "panda", "et trojan", "msie", "windows nt", "entries", "ascii text", "intel", "ms windows", "salicode", "emails", "expiration date", "france unknown", "taskmail", "task3dmail", "capspdf1", "mboxinbox", "actionshow", "twitter", "canada unknown", "error", "ipv4", "backend", "alfper", "gmt contenttype", "gmt server", "apache", "exploit", "hostname", "dynamicloader", "yara rule", "delivery", "alpha criteria", "inno setup", "format", "june", "stack", "dummy", "overview domain", "pulses", "tags", "related tags", "google safe", "browsing", "record type", "ttl value", "status", "united", "asnone united", "record value", "trojanproxy", "servers", "as15169 google", "for privacy", "domains ii", "ransom", "checks", "bios", "cpu name", "dynamic", "filehash", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "technology", "dns replication", "system label", "cloudflarenet", "apnic", "south brisbane", "asia pacific", "apnic whois", "po box", "cordelia st", "comment", "apnic research", "nethandle", "arin", "andariel", "yara detections", "malware traffic", "nids", "icmp traffic", "dns query", "tcp syn", "resolverror", "externalport", "internalport", "http headers", "home network", "pulse submit", "url analysis", "mitre att", "ta0002 shared", "modules t1129", "windows", "ta0004 access", "t1134", "defense evasion", "xor encrypt", "rc4 prga", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "ob0005 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "hashes c2ae", "capa", "cape sandbox", "lastline", "microsoft", "memory pattern", "dns resolutions", "ip traffic", "urls tcp", "tiger rat", "hi", "helping sabey" ], "references": [ "Andariel Backdoor Activity (Checkin)", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media", "Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Tonmye", "display_name": "Trojan:Win32/Tonmye", "target": "/malware/Trojan:Win32/Tonmye" }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "VirTool:Win32/CeeInject.GF", "display_name": "VirTool:Win32/CeeInject.GF", "target": "/malware/VirTool:Win32/CeeInject.GF" }, { "id": "ALFPER:PUA:Win32/InstallCore", "display_name": "ALFPER:PUA:Win32/InstallCore", "target": null }, { "id": "Trojan:Win32/Tonmye!rfn", "display_name": "Trojan:Win32/Tonmye!rfn", "target": "/malware/Trojan:Win32/Tonmye!rfn" }, { "id": "Ransom:Win32/Ako", "display_name": "Ransom:Win32/Ako", "target": "/malware/Ransom:Win32/Ako" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ARIN", "display_name": "ARIN", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Trojan[APT]/Win32.Lazarus", "display_name": "Trojan[APT]/Win32.Lazarus", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": "66eeef55e2c1ec3a4fa60ef4", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jefivnguyen", "id": "293031", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 889, "FileHash-SHA1": 817, "FileHash-SHA256": 3623, "domain": 755, "SSLCertFingerprint": 1, "URL": 396, "hostname": 732, "email": 14, "CVE": 3, "CIDR": 2 }, "indicator_count": 7232, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ebda7ebbe759bb12cebd4a", "name": "Andariel Backdoor Activity - Mirai found in Android", "description": "Andariel Backdoor Activity: Cited as a state sponsored threat group, this ET malware Check in) can be accessed by decent hackers. Found in a targets android device. \n\nDevice being used to attack , manipulate accounts , files and every CnC Botmaster task desired.\n\nNote:. Hack responsibly.. Stop attacking innocent civilians.", "modified": "2024-10-19T07:01:20.116000", "created": "2024-09-19T08:02:06.265000", "tags": [ "read c", "write c", "create c", "delete c", "process32nextw", "langchinese", "search", "regsetvalueexa", "medium", "show", "trojan", "malware", "copy", "write", "win32", "tools", "persistence", "execution", "local", "next", "count", "august", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "http", "domain", "passive dns", "urls", "files related", "pulses otx", "unknown", "cname", "files", "ip address", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "france", "nxdomain", "ns nxdomain", "aaaa nxdomain", "name servers", "soa nxdomain", "moved", "creation date", "date", "body", "aaaa", "asnone belgium", "united kingdom", "as16276 ovh", "sha256", "maltaterfb", "showing", "total", "read", "delete", "default", "systemroot", "high", "virtool", "virustotal", "hacktool", "drweb", "vipre", "panda", "et trojan", "msie", "windows nt", "entries", "ascii text", "intel", "ms windows", "salicode", "emails", "expiration date", "france unknown", "taskmail", "task3dmail", "capspdf1", "mboxinbox", "actionshow", "twitter", "canada unknown", "error", "ipv4", "backend", "alfper", "gmt contenttype", "gmt server", "apache", "exploit", "hostname", "dynamicloader", "yara rule", "delivery", "alpha criteria", "inno setup", "format", "june", "stack", "dummy", "overview domain", "pulses", "tags", "related tags", "google safe", "browsing", "record type", "ttl value", "status", "united", "asnone united", "record value", "trojanproxy", "servers", "as15169 google", "for privacy", "domains ii", "ransom", "checks", "bios", "cpu name", "dynamic", "filehash", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "technology", "dns replication", "system label", "cloudflarenet", "apnic", "south brisbane", "asia pacific", "apnic whois", "po box", "cordelia st", "comment", "apnic research", "nethandle", "arin", "andariel", "yara detections", "malware traffic", "nids", "icmp traffic", "dns query", "tcp syn", "resolverror", "externalport", "internalport", "http headers", "home network", "pulse submit", "url analysis", "mitre att", "ta0002 shared", "modules t1129", "windows", "ta0004 access", "t1134", "defense evasion", "xor encrypt", "rc4 prga", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "ob0005 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "hashes c2ae", "capa", "cape sandbox", "lastline", "microsoft", "memory pattern", "dns resolutions", "ip traffic", "urls tcp", "tiger rat", "hi", "helping sabey" ], "references": [ "Andariel Backdoor Activity (Checkin)", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media", "Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Tonmye", "display_name": "Trojan:Win32/Tonmye", "target": "/malware/Trojan:Win32/Tonmye" }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "VirTool:Win32/CeeInject.GF", "display_name": "VirTool:Win32/CeeInject.GF", "target": "/malware/VirTool:Win32/CeeInject.GF" }, { "id": "ALFPER:PUA:Win32/InstallCore", "display_name": "ALFPER:PUA:Win32/InstallCore", "target": null }, { "id": "Trojan:Win32/Tonmye!rfn", "display_name": "Trojan:Win32/Tonmye!rfn", "target": "/malware/Trojan:Win32/Tonmye!rfn" }, { "id": "Ransom:Win32/Ako", "display_name": "Ransom:Win32/Ako", "target": "/malware/Ransom:Win32/Ako" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ARIN", "display_name": "ARIN", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Trojan[APT]/Win32.Lazarus", "display_name": "Trojan[APT]/Win32.Lazarus", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 889, "FileHash-SHA1": 817, "FileHash-SHA256": 3623, "domain": 755, "SSLCertFingerprint": 1, "URL": 396, "hostname": 732, "email": 14, "CVE": 3, "CIDR": 2 }, "indicator_count": 7232, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "548 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time...", "IDS: WGET Command Specifying Output in HTTP Headers", "Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Andariel Backdoor Activity (Checkin)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Apnic", "Win32:kamso", "Ransom:win32/ako", "Virtool:win32/ceeinject.gf", "Alfper:pua:win32/installcore", "Unix.trojan.mirai-6981169-0", "Trojan:win32/tonmye!rfn", "Mirai", "Arin", "Trojan:win32/tonmye", "Trojan[apt]/win32.lazarus", "Elf:ddos-y\\ [trj]" ], "industries": [], "unique_indicators": 7741 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/tm2.cat", "whois": "http://whois.domaintools.com/tm2.cat", "domain": "tm2.cat", "hostname": "www.tm2.cat" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "66eeef55e2c1ec3a4fa60ef4", "name": "Android", "description": "", "modified": "2024-10-25T00:05:34.912000", "created": "2024-09-21T16:07:49.763000", "tags": [ "read c", "write c", "create c", "delete c", "process32nextw", "langchinese", "search", "regsetvalueexa", "medium", "show", "trojan", "malware", "copy", "write", "win32", "tools", "persistence", "execution", "local", "next", "count", "august", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "http", "domain", "passive dns", "urls", "files related", "pulses otx", "unknown", "cname", "files", "ip address", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "france", "nxdomain", "ns nxdomain", "aaaa nxdomain", "name servers", "soa nxdomain", "moved", "creation date", "date", "body", "aaaa", "asnone belgium", "united kingdom", "as16276 ovh", "sha256", "maltaterfb", "showing", "total", "read", "delete", "default", "systemroot", "high", "virtool", "virustotal", "hacktool", "drweb", "vipre", "panda", "et trojan", "msie", "windows nt", "entries", "ascii text", "intel", "ms windows", "salicode", "emails", "expiration date", "france unknown", "taskmail", "task3dmail", "capspdf1", "mboxinbox", "actionshow", "twitter", "canada unknown", "error", "ipv4", "backend", "alfper", "gmt contenttype", "gmt server", "apache", "exploit", "hostname", "dynamicloader", "yara rule", "delivery", "alpha criteria", "inno setup", "format", "june", "stack", "dummy", "overview domain", "pulses", "tags", "related tags", "google safe", "browsing", "record type", "ttl value", "status", "united", "asnone united", "record value", "trojanproxy", "servers", "as15169 google", "for privacy", "domains ii", "ransom", "checks", "bios", "cpu name", "dynamic", "filehash", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "technology", "dns replication", "system label", "cloudflarenet", "apnic", "south brisbane", "asia pacific", "apnic whois", "po box", "cordelia st", "comment", "apnic research", "nethandle", "arin", "andariel", "yara detections", "malware traffic", "nids", "icmp traffic", "dns query", "tcp syn", "resolverror", "externalport", "internalport", "http headers", "home network", "pulse submit", "url analysis", "mitre att", "ta0002 shared", "modules t1129", "windows", "ta0004 access", "t1134", "defense evasion", "xor encrypt", "rc4 prga", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "ob0005 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "hashes c2ae", "capa", "cape sandbox", "lastline", "microsoft", "memory pattern", "dns resolutions", "ip traffic", "urls tcp", "tiger rat", "hi", "helping sabey" ], "references": [ "Andariel Backdoor Activity (Checkin)", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media", "Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Tonmye", "display_name": "Trojan:Win32/Tonmye", "target": "/malware/Trojan:Win32/Tonmye" }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "VirTool:Win32/CeeInject.GF", "display_name": "VirTool:Win32/CeeInject.GF", "target": "/malware/VirTool:Win32/CeeInject.GF" }, { "id": "ALFPER:PUA:Win32/InstallCore", "display_name": "ALFPER:PUA:Win32/InstallCore", "target": null }, { "id": "Trojan:Win32/Tonmye!rfn", "display_name": "Trojan:Win32/Tonmye!rfn", "target": "/malware/Trojan:Win32/Tonmye!rfn" }, { "id": "Ransom:Win32/Ako", "display_name": "Ransom:Win32/Ako", "target": "/malware/Ransom:Win32/Ako" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ARIN", "display_name": "ARIN", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Trojan[APT]/Win32.Lazarus", "display_name": "Trojan[APT]/Win32.Lazarus", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": "66ebda7ebbe759bb12cebd4a", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MayDay23", "id": "292773", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 889, "FileHash-SHA1": 817, "FileHash-SHA256": 3623, "domain": 755, "SSLCertFingerprint": 1, "URL": 396, "hostname": 732, "email": 14, "CVE": 3, "CIDR": 2 }, "indicator_count": 7232, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67176428e4871c2726288178", "name": "Android", "description": "", "modified": "2024-10-25T00:05:34.912000", "created": "2024-10-22T08:36:56.514000", "tags": [ "read c", "write c", "create c", "delete c", "process32nextw", "langchinese", "search", "regsetvalueexa", "medium", "show", "trojan", "malware", "copy", "write", "win32", "tools", "persistence", "execution", "local", "next", "count", "august", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "http", "domain", "passive dns", "urls", "files related", "pulses otx", "unknown", "cname", "files", "ip address", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "france", "nxdomain", "ns nxdomain", "aaaa nxdomain", "name servers", "soa nxdomain", "moved", "creation date", "date", "body", "aaaa", "asnone belgium", "united kingdom", "as16276 ovh", "sha256", "maltaterfb", "showing", "total", "read", "delete", "default", "systemroot", "high", "virtool", "virustotal", "hacktool", "drweb", "vipre", "panda", "et trojan", "msie", "windows nt", "entries", "ascii text", "intel", "ms windows", "salicode", "emails", "expiration date", "france unknown", "taskmail", "task3dmail", "capspdf1", "mboxinbox", "actionshow", "twitter", "canada unknown", "error", "ipv4", "backend", "alfper", "gmt contenttype", "gmt server", "apache", "exploit", "hostname", "dynamicloader", "yara rule", "delivery", "alpha criteria", "inno setup", "format", "june", "stack", "dummy", "overview domain", "pulses", "tags", "related tags", "google safe", "browsing", "record type", "ttl value", "status", "united", "asnone united", "record value", "trojanproxy", "servers", "as15169 google", "for privacy", "domains ii", "ransom", "checks", "bios", "cpu name", "dynamic", "filehash", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "technology", "dns replication", "system label", "cloudflarenet", "apnic", "south brisbane", "asia pacific", "apnic whois", "po box", "cordelia st", "comment", "apnic research", "nethandle", "arin", "andariel", "yara detections", "malware traffic", "nids", "icmp traffic", "dns query", "tcp syn", "resolverror", "externalport", "internalport", "http headers", "home network", "pulse submit", "url analysis", "mitre att", "ta0002 shared", "modules t1129", "windows", "ta0004 access", "t1134", "defense evasion", "xor encrypt", "rc4 prga", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "ob0005 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "hashes c2ae", "capa", "cape sandbox", "lastline", "microsoft", "memory pattern", "dns resolutions", "ip traffic", "urls tcp", "tiger rat", "hi", "helping sabey" ], "references": [ "Andariel Backdoor Activity (Checkin)", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media", "Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Tonmye", "display_name": "Trojan:Win32/Tonmye", "target": "/malware/Trojan:Win32/Tonmye" }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "VirTool:Win32/CeeInject.GF", "display_name": "VirTool:Win32/CeeInject.GF", "target": "/malware/VirTool:Win32/CeeInject.GF" }, { "id": "ALFPER:PUA:Win32/InstallCore", "display_name": "ALFPER:PUA:Win32/InstallCore", "target": null }, { "id": "Trojan:Win32/Tonmye!rfn", "display_name": "Trojan:Win32/Tonmye!rfn", "target": "/malware/Trojan:Win32/Tonmye!rfn" }, { "id": "Ransom:Win32/Ako", "display_name": "Ransom:Win32/Ako", "target": "/malware/Ransom:Win32/Ako" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ARIN", "display_name": "ARIN", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Trojan[APT]/Win32.Lazarus", "display_name": "Trojan[APT]/Win32.Lazarus", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": "66eeef55e2c1ec3a4fa60ef4", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jefivnguyen", "id": "293031", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 889, "FileHash-SHA1": 817, "FileHash-SHA256": 3623, "domain": 755, "SSLCertFingerprint": 1, "URL": 396, "hostname": 732, "email": 14, "CVE": 3, "CIDR": 2 }, "indicator_count": 7232, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ebda7ebbe759bb12cebd4a", "name": "Andariel Backdoor Activity - Mirai found in Android", "description": "Andariel Backdoor Activity: Cited as a state sponsored threat group, this ET malware Check in) can be accessed by decent hackers. Found in a targets android device. \n\nDevice being used to attack , manipulate accounts , files and every CnC Botmaster task desired.\n\nNote:. Hack responsibly.. Stop attacking innocent civilians.", "modified": "2024-10-19T07:01:20.116000", "created": "2024-09-19T08:02:06.265000", "tags": [ "read c", "write c", "create c", "delete c", "process32nextw", "langchinese", "search", "regsetvalueexa", "medium", "show", "trojan", "malware", "copy", "write", "win32", "tools", "persistence", "execution", "local", "next", "count", "august", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "http", "domain", "passive dns", "urls", "files related", "pulses otx", "unknown", "cname", "files", "ip address", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "france", "nxdomain", "ns nxdomain", "aaaa nxdomain", "name servers", "soa nxdomain", "moved", "creation date", "date", "body", "aaaa", "asnone belgium", "united kingdom", "as16276 ovh", "sha256", "maltaterfb", "showing", "total", "read", "delete", "default", "systemroot", "high", "virtool", "virustotal", "hacktool", "drweb", "vipre", "panda", "et trojan", "msie", "windows nt", "entries", "ascii text", "intel", "ms windows", "salicode", "emails", "expiration date", "france unknown", "taskmail", "task3dmail", "capspdf1", "mboxinbox", "actionshow", "twitter", "canada unknown", "error", "ipv4", "backend", "alfper", "gmt contenttype", "gmt server", "apache", "exploit", "hostname", "dynamicloader", "yara rule", "delivery", "alpha criteria", "inno setup", "format", "june", "stack", "dummy", "overview domain", "pulses", "tags", "related tags", "google safe", "browsing", "record type", "ttl value", "status", "united", "asnone united", "record value", "trojanproxy", "servers", "as15169 google", "for privacy", "domains ii", "ransom", "checks", "bios", "cpu name", "dynamic", "filehash", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "technology", "dns replication", "system label", "cloudflarenet", "apnic", "south brisbane", "asia pacific", "apnic whois", "po box", "cordelia st", "comment", "apnic research", "nethandle", "arin", "andariel", "yara detections", "malware traffic", "nids", "icmp traffic", "dns query", "tcp syn", "resolverror", "externalport", "internalport", "http headers", "home network", "pulse submit", "url analysis", "mitre att", "ta0002 shared", "modules t1129", "windows", "ta0004 access", "t1134", "defense evasion", "xor encrypt", "rc4 prga", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "ob0005 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "hashes c2ae", "capa", "cape sandbox", "lastline", "microsoft", "memory pattern", "dns resolutions", "ip traffic", "urls tcp", "tiger rat", "hi", "helping sabey" ], "references": [ "Andariel Backdoor Activity (Checkin)", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media", "Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Tonmye", "display_name": "Trojan:Win32/Tonmye", "target": "/malware/Trojan:Win32/Tonmye" }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "VirTool:Win32/CeeInject.GF", "display_name": "VirTool:Win32/CeeInject.GF", "target": "/malware/VirTool:Win32/CeeInject.GF" }, { "id": "ALFPER:PUA:Win32/InstallCore", "display_name": "ALFPER:PUA:Win32/InstallCore", "target": null }, { "id": "Trojan:Win32/Tonmye!rfn", "display_name": "Trojan:Win32/Tonmye!rfn", "target": "/malware/Trojan:Win32/Tonmye!rfn" }, { "id": "Ransom:Win32/Ako", "display_name": "Ransom:Win32/Ako", "target": "/malware/Ransom:Win32/Ako" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ARIN", "display_name": "ARIN", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Trojan[APT]/Win32.Lazarus", "display_name": "Trojan[APT]/Win32.Lazarus", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 889, "FileHash-SHA1": 817, "FileHash-SHA256": 3623, "domain": 755, "SSLCertFingerprint": 1, "URL": 396, "hostname": 732, "email": 14, "CVE": 3, "CIDR": 2 }, "indicator_count": 7232, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "548 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.tm2.cat/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.tm2.cat/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776672896.5501502 }