{ "type": "Domain", "indicator": "i.do", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/i.do", "alexa": "http://www.alexa.com/siteinfo/i.do", "indicator": "i.do", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3155624097, "indicator": "i.do", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "63b580a925bb698985fa83ea", "name": "vendor.bundle.js", "description": "", "modified": "2023-02-03T13:00:02.804000", "created": "2023-01-04T13:35:37.535000", "tags": [ "vxstream", "trojan", "apt", "memoryfile scan", "error", "progresstype", "graytext", "typeof e", "highlight", "bg96gwp", "typeof", "window", "null", "date", "span", "path", "meta", "push", "unknown", "roboto", "scroll", "suspicious", "close", "light", "template", "abcd", "android", "trident", "backspace", "insert", "4096", "void", "legend", "iframe", "webview", "infinity", "ransomware", "malicious", "accept toggle", "voice", "upgrade" ], "references": [ "https://hybrid-analysis.com/sample/f90162e65235185a24e9f20d855371b8ad7462d50d7a57851d000cfd5116f76d", "This website contains the details of an anti-virus scan conducted by the MetaDefender, which aims to identify and remove malware from websites, websites and social media sites, including Facebook, Twitter and YouTube.", "original dropped file discovery url", "http://lifehacker.com/assets/stylesheets/app-a873b056f0ea955e4ff0abebb210e5a6.css", "Making HTTPS connections using insecure TLS/SSL version details Connection was make using TLSv1.1 [tls.handshake.version: 0x00000302] source Network Traffic relevance 10/10 ATT&CK ID T1573 (Show technique in the MITRE ATT&CK\u2122 matrix)", "https://hybrid-analysis.com/sample/f90162e65235185a24e9f20d855371b8ad7462d50d7a57851d000cfd5116f76d/63aef1a83e3bb16765527bb8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 205, "URL": 1340, "FileHash-SHA256": 407, "hostname": 491, "FileHash-MD5": 8, "email": 1, "FileHash-SHA1": 1 }, "indicator_count": 2453, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1214 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639623a5487be926a37da77a", "name": "http://dx18.198449.com - CN - Hybrid-A TS 100/100", "description": "Whats with these capitals in http urls on adobe??? \nhttp://ns.adobe.com/tiff/1.0/b -when you copy and paste the return to normal", "modified": "2022-12-12T02:29:32.721000", "created": "2022-12-11T18:38:29.678000", "tags": [ "ansi", "decrypted ssl", "data", "windows nt", "center", "runtime data", "html", "okserver", "adobe photoshop", "adobe xmp", "core", "body", "lung", "gpix", "size", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "seen", "hash", "description png", "rgba", "1www.meitu.com", "http://yes.i.do/" ], "references": [ "1www.meitu.com", "http://yes.i.do/", "https://hybrid-analysis.com/sample/a8dd31f3f6a38a671c7a9123883d850f6e5dae7b0ef1ac79674187e99c4dcfba/63893e1faa769374f902315c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 103, "URL": 67, "hostname": 10, "domain": 11, "FileHash-MD5": 143, "FileHash-SHA1": 44 }, "indicator_count": 378, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6261ef2eb26077a0141408d8", "name": "http://memoria.bn.br/pdf/107670/per107670_1927_05770.pdf", "description": "", "modified": "2022-05-22T00:01:01.264000", "created": "2022-04-21T23:56:30.905000", "tags": [], "references": [ "http://memoria.bn.br/pdf/107670/per107670_1927_05770.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 40, "hostname": 22, "domain": 110 }, "indicator_count": 172, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Making HTTPS connections using insecure TLS/SSL version details Connection was make using TLSv1.1 [tls.handshake.version: 0x00000302] source Network Traffic relevance 10/10 ATT&CK ID T1573 (Show technique in the MITRE ATT&CK\u2122 matrix)", "1www.meitu.com", "https://hybrid-analysis.com/sample/f90162e65235185a24e9f20d855371b8ad7462d50d7a57851d000cfd5116f76d", "http://memoria.bn.br/pdf/107670/per107670_1927_05770.pdf", "http://yes.i.do/", "https://hybrid-analysis.com/sample/a8dd31f3f6a38a671c7a9123883d850f6e5dae7b0ef1ac79674187e99c4dcfba/63893e1faa769374f902315c", "http://lifehacker.com/assets/stylesheets/app-a873b056f0ea955e4ff0abebb210e5a6.css", "https://hybrid-analysis.com/sample/f90162e65235185a24e9f20d855371b8ad7462d50d7a57851d000cfd5116f76d/63aef1a83e3bb16765527bb8", "original dropped file discovery url", "This website contains the details of an anti-virus scan conducted by the MetaDefender, which aims to identify and remove malware from websites, websites and social media sites, including Facebook, Twitter and YouTube." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "63b580a925bb698985fa83ea", "name": "vendor.bundle.js", "description": "", "modified": "2023-02-03T13:00:02.804000", "created": "2023-01-04T13:35:37.535000", "tags": [ "vxstream", "trojan", "apt", "memoryfile scan", "error", "progresstype", "graytext", "typeof e", "highlight", "bg96gwp", "typeof", "window", "null", "date", "span", "path", "meta", "push", "unknown", "roboto", "scroll", "suspicious", "close", "light", "template", "abcd", "android", "trident", "backspace", "insert", "4096", "void", "legend", "iframe", "webview", "infinity", "ransomware", "malicious", "accept toggle", "voice", "upgrade" ], "references": [ "https://hybrid-analysis.com/sample/f90162e65235185a24e9f20d855371b8ad7462d50d7a57851d000cfd5116f76d", "This website contains the details of an anti-virus scan conducted by the MetaDefender, which aims to identify and remove malware from websites, websites and social media sites, including Facebook, Twitter and YouTube.", "original dropped file discovery url", "http://lifehacker.com/assets/stylesheets/app-a873b056f0ea955e4ff0abebb210e5a6.css", "Making HTTPS connections using insecure TLS/SSL version details Connection was make using TLSv1.1 [tls.handshake.version: 0x00000302] source Network Traffic relevance 10/10 ATT&CK ID T1573 (Show technique in the MITRE ATT&CK\u2122 matrix)", "https://hybrid-analysis.com/sample/f90162e65235185a24e9f20d855371b8ad7462d50d7a57851d000cfd5116f76d/63aef1a83e3bb16765527bb8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 205, "URL": 1340, "FileHash-SHA256": 407, "hostname": 491, "FileHash-MD5": 8, "email": 1, "FileHash-SHA1": 1 }, "indicator_count": 2453, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1214 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639623a5487be926a37da77a", "name": "http://dx18.198449.com - CN - Hybrid-A TS 100/100", "description": "Whats with these capitals in http urls on adobe??? \nhttp://ns.adobe.com/tiff/1.0/b -when you copy and paste the return to normal", "modified": "2022-12-12T02:29:32.721000", "created": "2022-12-11T18:38:29.678000", "tags": [ "ansi", "decrypted ssl", "data", "windows nt", "center", "runtime data", "html", "okserver", "adobe photoshop", "adobe xmp", "core", "body", "lung", "gpix", "size", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "seen", "hash", "description png", "rgba", "1www.meitu.com", "http://yes.i.do/" ], "references": [ "1www.meitu.com", "http://yes.i.do/", "https://hybrid-analysis.com/sample/a8dd31f3f6a38a671c7a9123883d850f6e5dae7b0ef1ac79674187e99c4dcfba/63893e1faa769374f902315c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 103, "URL": 67, "hostname": 10, "domain": 11, "FileHash-MD5": 143, "FileHash-SHA1": 44 }, "indicator_count": 378, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6261ef2eb26077a0141408d8", "name": "http://memoria.bn.br/pdf/107670/per107670_1927_05770.pdf", "description": "", "modified": "2022-05-22T00:01:01.264000", "created": "2022-04-21T23:56:30.905000", "tags": [], "references": [ "http://memoria.bn.br/pdf/107670/per107670_1927_05770.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 40, "hostname": 22, "domain": 110 }, "indicator_count": 172, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "i.do", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "i.do", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780320737.3054335 }