{ "type": "URL", "indicator": "https://zmail.willaecho.pl", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://zmail.willaecho.pl", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3763045780, "indicator": "https://zmail.willaecho.pl", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666a290827eb9a7dec1aa57f", "name": "just checking", "description": "", "modified": "2024-07-12T21:02:00.286000", "created": "2024-06-12T23:02:32.039000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 1278, "URL": 5288, "domain": 1217, "hostname": 2980, "CVE": 1 }, "indicator_count": 10774, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a79b4cdcde83bffbd1df", "name": "Tofsee | Lazystax[.]ru - Malicious malware campaign continues", "description": "", "modified": "2023-12-06T16:55:55.527000", "created": "2023-12-06T16:55:55.527000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 776, "URL": 733, "domain": 184, "FileHash-MD5": 69, "FileHash-SHA1": 69, "hostname": 248 }, "indicator_count": 2079, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651a2967995342c1de08e420", "name": "Tofsee | Lazystax[.]ru - Malicious malware campaign continues", "description": "Domain Sporadically Resolves to an IP\nDNS: Stopped resolving 09/30/2023 and 10/02/2023. Was sharing Tofsee and other malware. August - October 2nd lazystax\u00b0ru shared Emotet, Tofsee, Glubteba intermittently, combined with other malicious files. \nCurrently communicates 70+ malicious files.\nDomain not resolving\nRunning webserver\nRunning webserver", "modified": "2023-10-31T19:02:38.816000", "created": "2023-10-02T02:22:31.892000", "tags": [ "contacted", "referrer", "whois whois", "historical ssl", "resolutions", "ssl certificate", "kradnie krypto", "axelo", "atkafij0 https", "ssl w", "execution", "Bot Nets", "Government", "malicious", "tofsee", "gheg", "historicalandnew", "C2", "C2 extraction", "C2 injection", "2023/30/09 Trojan:WIN32.Emotet.YL", "nginx", "urknames.com", "reg-ru", "remote address: 8.8.8.8:53", "svchost.exe", "backdoor" ], "references": [ "https://threatfox.abuse.ch/browse/tag/tofsee/", "https://www.virustotal.com/gui/domain/lazystax.ru/details", "https://www.virustotal.com/gui/domain/lazystax.ru/community", "Sophos: Command and Control Webroot: Bot Nets", "Xcitium Verdict Cloud: Media Sharing", "Forcepoint ThreatSeeker: Government", "alphaMountain.ai: Malicious (alphaMountain.ai)", "Online Research", "Research analysis", "Linked to my domains, urls, websites, other media. At some point this link could be found in many legal state, federal, domains, website as well as extremely, overtly malicious websites, domains, urls.....", "https://tria.ge/210906-p1v21abbc5/behavioral2 Source", "https://otx.alienvault.com/indicator/domain/Lazystax.ru", "https://otx.alienvault.com/indicator/file/ef181d8efbb126e26fdd753e3287858063ea1cbc2baceb855949c25cfc3c4f40", "https://otx.alienvault.com/indicator/file/0f51b0620dbbd782c786613f396b5341a8341a4131b3c9bef47f96bd446a07a7", "https://otx.alienvault.com/indicator/file/1ee0ff6d3d73df2052c8b426051d3e69da65e7f27d856de81c72c850127dced2", "https://any.run/report/c0e63d3688879e4c415fe9c99649dd6c0cfed77424c979dd65d597a6f524cb03/ceac4db6-f8b0-4379-aa55-b4dd71ef85c3", "https://otx.alienvault.com/indicator/file/aca0a107d9f67951a37f3c9e5330c625a48e2fc72b636548c94e66573c509d37", "https://twitter.com/RexorVc0/status/1555074253795606529", "https://www.malwareurl.com/ns_listing.php?ip=195.123.1.2", "https://www.vmray.com/analyses/de4dcdc5a37d/report/report.pdf Source" ], "public": 1, "adversary": "Trojan:Win32/Glupteba", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Azorult.GM!MTB", "display_name": "Trojan:Win32/Azorult.GM!MTB", "target": "/malware/Trojan:Win32/Azorult.GM!MTB" }, { "id": "Trojan:Win32/Androm.R!MTB", "display_name": "Trojan:Win32/Androm.R!MTB", "target": "/malware/Trojan:Win32/Androm.R!MTB" }, { "id": "Ransom:Win32/Sodinokibi.SK!MSR", "display_name": "Ransom:Win32/Sodinokibi.SK!MSR", "target": "/malware/Ransom:Win32/Sodinokibi.SK!MSR" }, { "id": "PWS:Win32/Predator.KM!MTB", "display_name": "PWS:Win32/Predator.KM!MTB", "target": "/malware/PWS:Win32/Predator.KM!MTB" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Midrami.A", "display_name": "ALF:HeraklezEval:Trojan:Win32/Midrami.A", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ArkeiStealer.RM!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/ArkeiStealer.RM!rfn", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Glupteba", "display_name": "ALF:HeraklezEval:Trojan:Win32/Glupteba", "target": null }, { "id": "Trojan:Win32/Emotet.YL", "display_name": "Trojan:Win32/Emotet.YL", "target": "/malware/Trojan:Win32/Emotet.YL" } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 69, "FileHash-SHA1": 69, "FileHash-SHA256": 776, "URL": 733, "domain": 184, "hostname": 248 }, "indicator_count": 2079, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65405dd9911a5b7964bd656a", "name": "Tofsee | Lazystax[.]ru - Malicious malware campaign continues [ Pulse created by user b..,.........", "description": "", "modified": "2023-10-31T19:02:38.816000", "created": "2023-10-31T01:52:25.951000", "tags": [ "contacted", "referrer", "whois whois", "historical ssl", "resolutions", "ssl certificate", "kradnie krypto", "axelo", "atkafij0 https", "ssl w", "execution", "Bot Nets", "Government", "malicious", "tofsee", "gheg", "historicalandnew", "C2", "C2 extraction", "C2 injection", "2023/30/09 Trojan:WIN32.Emotet.YL", "nginx", "urknames.com", "reg-ru", "remote address: 8.8.8.8:53", "svchost.exe", "backdoor" ], "references": [ "https://threatfox.abuse.ch/browse/tag/tofsee/", "https://www.virustotal.com/gui/domain/lazystax.ru/details", "https://www.virustotal.com/gui/domain/lazystax.ru/community", "Sophos: Command and Control Webroot: Bot Nets", "Xcitium Verdict Cloud: Media Sharing", "Forcepoint ThreatSeeker: Government", "alphaMountain.ai: Malicious (alphaMountain.ai)", "Online Research", "Research analysis", "Linked to my domains, urls, websites, other media. At some point this link could be found in many legal state, federal, domains, website as well as extremely, overtly malicious websites, domains, urls.....", "https://tria.ge/210906-p1v21abbc5/behavioral2 Source", "https://otx.alienvault.com/indicator/domain/Lazystax.ru", "https://otx.alienvault.com/indicator/file/ef181d8efbb126e26fdd753e3287858063ea1cbc2baceb855949c25cfc3c4f40", "https://otx.alienvault.com/indicator/file/0f51b0620dbbd782c786613f396b5341a8341a4131b3c9bef47f96bd446a07a7", "https://otx.alienvault.com/indicator/file/1ee0ff6d3d73df2052c8b426051d3e69da65e7f27d856de81c72c850127dced2", "https://any.run/report/c0e63d3688879e4c415fe9c99649dd6c0cfed77424c979dd65d597a6f524cb03/ceac4db6-f8b0-4379-aa55-b4dd71ef85c3", "https://otx.alienvault.com/indicator/file/aca0a107d9f67951a37f3c9e5330c625a48e2fc72b636548c94e66573c509d37", "https://twitter.com/RexorVc0/status/1555074253795606529", "https://www.malwareurl.com/ns_listing.php?ip=195.123.1.2", "https://www.vmray.com/analyses/de4dcdc5a37d/report/report.pdf Source" ], "public": 1, "adversary": "Trojan:Win32/Glupteba", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Azorult.GM!MTB", "display_name": "Trojan:Win32/Azorult.GM!MTB", "target": "/malware/Trojan:Win32/Azorult.GM!MTB" }, { "id": "Trojan:Win32/Androm.R!MTB", "display_name": "Trojan:Win32/Androm.R!MTB", "target": "/malware/Trojan:Win32/Androm.R!MTB" }, { "id": "Ransom:Win32/Sodinokibi.SK!MSR", "display_name": "Ransom:Win32/Sodinokibi.SK!MSR", "target": "/malware/Ransom:Win32/Sodinokibi.SK!MSR" }, { "id": "PWS:Win32/Predator.KM!MTB", "display_name": "PWS:Win32/Predator.KM!MTB", "target": "/malware/PWS:Win32/Predator.KM!MTB" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Midrami.A", "display_name": "ALF:HeraklezEval:Trojan:Win32/Midrami.A", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ArkeiStealer.RM!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/ArkeiStealer.RM!rfn", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Glupteba", "display_name": "ALF:HeraklezEval:Trojan:Win32/Glupteba", "target": null }, { "id": "Trojan:Win32/Emotet.YL", "display_name": "Trojan:Win32/Emotet.YL", "target": "/malware/Trojan:Win32/Emotet.YL" } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "651a2967995342c1de08e420", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 69, "FileHash-SHA1": 69, "FileHash-SHA256": 776, "URL": 733, "domain": 184, "hostname": 248 }, "indicator_count": 2079, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Online Research", "https://threatfox.abuse.ch/browse/tag/tofsee/", "https://www.virustotal.com/gui/domain/lazystax.ru/community", "https://www.malwareurl.com/ns_listing.php?ip=195.123.1.2", "https://waf.intelix.pl/957476/Chat/Script/Compatibility", "http://www.jelenia-gora.so.gov.pl/", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "https://otx.alienvault.com/indicator/file/aca0a107d9f67951a37f3c9e5330c625a48e2fc72b636548c94e66573c509d37", "Sophos: Command and Control Webroot: Bot Nets", "https://twitter.com/RexorVc0/status/1555074253795606529", "Research analysis", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tria.ge/210906-p1v21abbc5/behavioral2 Source", "https://otx.alienvault.com/indicator/file/0f51b0620dbbd782c786613f396b5341a8341a4131b3c9bef47f96bd446a07a7", "https://otx.alienvault.com/indicator/file/1ee0ff6d3d73df2052c8b426051d3e69da65e7f27d856de81c72c850127dced2", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://any.run/report/c0e63d3688879e4c415fe9c99649dd6c0cfed77424c979dd65d597a6f524cb03/ceac4db6-f8b0-4379-aa55-b4dd71ef85c3", "Linked to my domains, urls, websites, other media. At some point this link could be found in many legal state, federal, domains, website as well as extremely, overtly malicious websites, domains, urls.....", "https://www.virustotal.com/gui/domain/lazystax.ru/details", "https://www.vmray.com/analyses/de4dcdc5a37d/report/report.pdf Source", "https://www.jelenia-gora.so.gov.pl/", "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "Xcitium Verdict Cloud: Media Sharing", "https://www.jelenia-gora.sr.gov.pl/spacer", "Forcepoint ThreatSeeker: Government", "alphaMountain.ai: Malicious (alphaMountain.ai)", "https://otx.alienvault.com/indicator/file/ef181d8efbb126e26fdd753e3287858063ea1cbc2baceb855949c25cfc3c4f40", "https://otx.alienvault.com/indicator/domain/Lazystax.ru" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Trojan:Win32/Glupteba" ], "malware_families": [ "", "Alf:heraklezeval:trojan:win32/arkeistealer.rm!rfn", "Trojan:win32/emotet.yl", "Alf:heraklezeval:trojan:win32/midrami.a", "Backdoor:win32/tofsee.t", "Serwer", "Alf:heraklezeval:trojan:win32/glupteba", "Trojan:win32/androm.r!mtb", "Trojan:win32/azorult.gm!mtb", "Pws:win32/predator.km!mtb", "Ransom:win32/sodinokibi.sk!msr" ], "industries": [ "Technology" ], "unique_indicators": 60692 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/willaecho.pl", "whois": "http://whois.domaintools.com/willaecho.pl", "domain": "willaecho.pl", "hostname": "zmail.willaecho.pl" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666a290827eb9a7dec1aa57f", "name": "just checking", "description": "", "modified": "2024-07-12T21:02:00.286000", "created": "2024-06-12T23:02:32.039000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 1278, "URL": 5288, "domain": 1217, "hostname": 2980, "CVE": 1 }, "indicator_count": 10774, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a79b4cdcde83bffbd1df", "name": "Tofsee | Lazystax[.]ru - Malicious malware campaign continues", "description": "", "modified": "2023-12-06T16:55:55.527000", "created": "2023-12-06T16:55:55.527000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 776, "URL": 733, "domain": 184, "FileHash-MD5": 69, "FileHash-SHA1": 69, "hostname": 248 }, "indicator_count": 2079, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651a2967995342c1de08e420", "name": "Tofsee | Lazystax[.]ru - Malicious malware campaign continues", "description": "Domain Sporadically Resolves to an IP\nDNS: Stopped resolving 09/30/2023 and 10/02/2023. Was sharing Tofsee and other malware. August - October 2nd lazystax\u00b0ru shared Emotet, Tofsee, Glubteba intermittently, combined with other malicious files. \nCurrently communicates 70+ malicious files.\nDomain not resolving\nRunning webserver\nRunning webserver", "modified": "2023-10-31T19:02:38.816000", "created": "2023-10-02T02:22:31.892000", "tags": [ "contacted", "referrer", "whois whois", "historical ssl", "resolutions", "ssl certificate", "kradnie krypto", "axelo", "atkafij0 https", "ssl w", "execution", "Bot Nets", "Government", "malicious", "tofsee", "gheg", "historicalandnew", "C2", "C2 extraction", "C2 injection", "2023/30/09 Trojan:WIN32.Emotet.YL", "nginx", "urknames.com", "reg-ru", "remote address: 8.8.8.8:53", "svchost.exe", "backdoor" ], "references": [ "https://threatfox.abuse.ch/browse/tag/tofsee/", "https://www.virustotal.com/gui/domain/lazystax.ru/details", "https://www.virustotal.com/gui/domain/lazystax.ru/community", "Sophos: Command and Control Webroot: Bot Nets", "Xcitium Verdict Cloud: Media Sharing", "Forcepoint ThreatSeeker: Government", "alphaMountain.ai: Malicious (alphaMountain.ai)", "Online Research", "Research analysis", "Linked to my domains, urls, websites, other media. At some point this link could be found in many legal state, federal, domains, website as well as extremely, overtly malicious websites, domains, urls.....", "https://tria.ge/210906-p1v21abbc5/behavioral2 Source", "https://otx.alienvault.com/indicator/domain/Lazystax.ru", "https://otx.alienvault.com/indicator/file/ef181d8efbb126e26fdd753e3287858063ea1cbc2baceb855949c25cfc3c4f40", "https://otx.alienvault.com/indicator/file/0f51b0620dbbd782c786613f396b5341a8341a4131b3c9bef47f96bd446a07a7", "https://otx.alienvault.com/indicator/file/1ee0ff6d3d73df2052c8b426051d3e69da65e7f27d856de81c72c850127dced2", "https://any.run/report/c0e63d3688879e4c415fe9c99649dd6c0cfed77424c979dd65d597a6f524cb03/ceac4db6-f8b0-4379-aa55-b4dd71ef85c3", "https://otx.alienvault.com/indicator/file/aca0a107d9f67951a37f3c9e5330c625a48e2fc72b636548c94e66573c509d37", "https://twitter.com/RexorVc0/status/1555074253795606529", "https://www.malwareurl.com/ns_listing.php?ip=195.123.1.2", "https://www.vmray.com/analyses/de4dcdc5a37d/report/report.pdf Source" ], "public": 1, "adversary": "Trojan:Win32/Glupteba", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Azorult.GM!MTB", "display_name": "Trojan:Win32/Azorult.GM!MTB", "target": "/malware/Trojan:Win32/Azorult.GM!MTB" }, { "id": "Trojan:Win32/Androm.R!MTB", "display_name": "Trojan:Win32/Androm.R!MTB", "target": "/malware/Trojan:Win32/Androm.R!MTB" }, { "id": "Ransom:Win32/Sodinokibi.SK!MSR", "display_name": "Ransom:Win32/Sodinokibi.SK!MSR", "target": "/malware/Ransom:Win32/Sodinokibi.SK!MSR" }, { "id": "PWS:Win32/Predator.KM!MTB", "display_name": "PWS:Win32/Predator.KM!MTB", "target": "/malware/PWS:Win32/Predator.KM!MTB" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Midrami.A", "display_name": "ALF:HeraklezEval:Trojan:Win32/Midrami.A", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ArkeiStealer.RM!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/ArkeiStealer.RM!rfn", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Glupteba", "display_name": "ALF:HeraklezEval:Trojan:Win32/Glupteba", "target": null }, { "id": "Trojan:Win32/Emotet.YL", "display_name": "Trojan:Win32/Emotet.YL", "target": "/malware/Trojan:Win32/Emotet.YL" } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 69, "FileHash-SHA1": 69, "FileHash-SHA256": 776, "URL": 733, "domain": 184, "hostname": 248 }, "indicator_count": 2079, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65405dd9911a5b7964bd656a", "name": "Tofsee | Lazystax[.]ru - Malicious malware campaign continues [ Pulse created by user b..,.........", "description": "", "modified": "2023-10-31T19:02:38.816000", "created": "2023-10-31T01:52:25.951000", "tags": [ "contacted", "referrer", "whois whois", "historical ssl", "resolutions", "ssl certificate", "kradnie krypto", "axelo", "atkafij0 https", "ssl w", "execution", "Bot Nets", "Government", "malicious", "tofsee", "gheg", "historicalandnew", "C2", "C2 extraction", "C2 injection", "2023/30/09 Trojan:WIN32.Emotet.YL", "nginx", "urknames.com", "reg-ru", "remote address: 8.8.8.8:53", "svchost.exe", "backdoor" ], "references": [ "https://threatfox.abuse.ch/browse/tag/tofsee/", "https://www.virustotal.com/gui/domain/lazystax.ru/details", "https://www.virustotal.com/gui/domain/lazystax.ru/community", "Sophos: Command and Control Webroot: Bot Nets", "Xcitium Verdict Cloud: Media Sharing", "Forcepoint ThreatSeeker: Government", "alphaMountain.ai: Malicious (alphaMountain.ai)", "Online Research", "Research analysis", "Linked to my domains, urls, websites, other media. At some point this link could be found in many legal state, federal, domains, website as well as extremely, overtly malicious websites, domains, urls.....", "https://tria.ge/210906-p1v21abbc5/behavioral2 Source", "https://otx.alienvault.com/indicator/domain/Lazystax.ru", "https://otx.alienvault.com/indicator/file/ef181d8efbb126e26fdd753e3287858063ea1cbc2baceb855949c25cfc3c4f40", "https://otx.alienvault.com/indicator/file/0f51b0620dbbd782c786613f396b5341a8341a4131b3c9bef47f96bd446a07a7", "https://otx.alienvault.com/indicator/file/1ee0ff6d3d73df2052c8b426051d3e69da65e7f27d856de81c72c850127dced2", "https://any.run/report/c0e63d3688879e4c415fe9c99649dd6c0cfed77424c979dd65d597a6f524cb03/ceac4db6-f8b0-4379-aa55-b4dd71ef85c3", "https://otx.alienvault.com/indicator/file/aca0a107d9f67951a37f3c9e5330c625a48e2fc72b636548c94e66573c509d37", "https://twitter.com/RexorVc0/status/1555074253795606529", "https://www.malwareurl.com/ns_listing.php?ip=195.123.1.2", "https://www.vmray.com/analyses/de4dcdc5a37d/report/report.pdf Source" ], "public": 1, "adversary": "Trojan:Win32/Glupteba", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Azorult.GM!MTB", "display_name": "Trojan:Win32/Azorult.GM!MTB", "target": "/malware/Trojan:Win32/Azorult.GM!MTB" }, { "id": "Trojan:Win32/Androm.R!MTB", "display_name": "Trojan:Win32/Androm.R!MTB", "target": "/malware/Trojan:Win32/Androm.R!MTB" }, { "id": "Ransom:Win32/Sodinokibi.SK!MSR", "display_name": "Ransom:Win32/Sodinokibi.SK!MSR", "target": "/malware/Ransom:Win32/Sodinokibi.SK!MSR" }, { "id": "PWS:Win32/Predator.KM!MTB", "display_name": "PWS:Win32/Predator.KM!MTB", "target": "/malware/PWS:Win32/Predator.KM!MTB" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Midrami.A", "display_name": "ALF:HeraklezEval:Trojan:Win32/Midrami.A", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ArkeiStealer.RM!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/ArkeiStealer.RM!rfn", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Glupteba", "display_name": "ALF:HeraklezEval:Trojan:Win32/Glupteba", "target": null }, { "id": "Trojan:Win32/Emotet.YL", "display_name": "Trojan:Win32/Emotet.YL", "target": "/malware/Trojan:Win32/Emotet.YL" } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "651a2967995342c1de08e420", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 69, "FileHash-SHA1": 69, "FileHash-SHA256": 776, "URL": 733, "domain": 184, "hostname": 248 }, "indicator_count": 2079, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://zmail.willaecho.pl", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://zmail.willaecho.pl", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776616957.5341656 }