{ "type": "Domain", "indicator": "metrosoft.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/metrosoft.com", "alexa": "http://www.alexa.com/siteinfo/metrosoft.com", "indicator": "metrosoft.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4125402735, "indicator": "metrosoft.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68c1ab04939cdc929c199df3", "name": "Copy of Jelenia G\u00f3ra ip: 217. 153 .104 .197 Port 433 Outlook T-Mobile Polska S.A.", "description": "IOCs from VT Graph (Miniuser, 2025)", "modified": "2025-10-10T16:03:06.210000", "created": "2025-09-10T16:44:52.857000", "tags": [ "targeturl" ], "references": [ "https://www.virustotal.com/graph/embed/g6fb03aef03ad4f55b8dada103eb085240b037503b46b4eb982d81f5b1343acb2?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 220, "URL": 40, "domain": 14, "hostname": 101 }, "indicator_count": 479, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b52e3db91f62164dc0ac20", "name": "TELEKOM !!!???cooperation with networksolutions[.]com & web[.] com & plus[.]net", "description": "VT Graph ( miniuser, 08.31.25 )\nappear to be associated with known malware campaigns, particularly Androxgh0st (a credential-stealing malware) and Tofsee (a multi-purpose botnet malware for spam, DDoS, and credential theft). Some IOCs tie into broader threat reports from sources like CISA (Cybersecurity and Infrastructure Security Agency) and threat intelligence platforms (e.g., ThreatFox, SOCRadar). Other Potential Links:\n - Metrosoft.com: Legitimate financial software site; no direct malice, but could be targeted in supply-chain attacks or impersonated (e.g., via similar domains).\n - Pr-cy.ru: SEO/analysis tool; high reputation (secure per Scam Detector), likely benign but could be abused for reconnaissance.\n - Legitimate clusters (e.g., plus.net subdomains like inmx-peh-010.plus.net): Email/MX servers; possibly used in spam relays or phishing (common in Androxgh0st).\n - Digicert/Microsoft URLs: Benign cert/update endpoints; may indicate malware checking for updates or using legit certs for evasion.", "modified": "2025-10-01T05:04:45.876000", "created": "2025-09-01T05:25:17.143000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/g21d6ab9bdfa94576a92c7f9de9fd763ca867d9d7c1454b1ab3d7af093394d579?theme=dark", "https://viz.greynoise.io/ip/analysis/f691c147-e4f0-48d9-b430-17b0faabc131" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 91, "FileHash-SHA1": 91, "FileHash-SHA256": 469, "URL": 19, "domain": 46, "hostname": 156 }, "indicator_count": 872, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b3efe23fecb18fbe444e6f", "name": "Copy of Jelenia G\u00f3ra ip: 217.153.104.197 Port 433 Outlook T-Mobile Polska S.A.", "description": "vT Graph, Miniuser (08.31.25)", "modified": "2025-09-30T06:02:47.467000", "created": "2025-08-31T06:46:58.381000", "tags": [ "entity", "targeturl" ], "references": [ "https://www.virustotal.com/graph/embed/g6fb03aef03ad4f55b8dada103eb085240b037503b46b4eb982d81f5b1343acb2?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 220, "URL": 40, "domain": 14, "hostname": 101 }, "indicator_count": 479, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/g6fb03aef03ad4f55b8dada103eb085240b037503b46b4eb982d81f5b1343acb2?theme=dark", "https://viz.greynoise.io/ip/analysis/f691c147-e4f0-48d9-b430-17b0faabc131", "https://www.virustotal.com/graph/embed/g21d6ab9bdfa94576a92c7f9de9fd763ca867d9d7c1454b1ab3d7af093394d579?theme=dark" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68c1ab04939cdc929c199df3", "name": "Copy of Jelenia G\u00f3ra ip: 217. 153 .104 .197 Port 433 Outlook T-Mobile Polska S.A.", "description": "IOCs from VT Graph (Miniuser, 2025)", "modified": "2025-10-10T16:03:06.210000", "created": "2025-09-10T16:44:52.857000", "tags": [ "targeturl" ], "references": [ "https://www.virustotal.com/graph/embed/g6fb03aef03ad4f55b8dada103eb085240b037503b46b4eb982d81f5b1343acb2?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 220, "URL": 40, "domain": 14, "hostname": 101 }, "indicator_count": 479, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b52e3db91f62164dc0ac20", "name": "TELEKOM !!!???cooperation with networksolutions[.]com & web[.] com & plus[.]net", "description": "VT Graph ( miniuser, 08.31.25 )\nappear to be associated with known malware campaigns, particularly Androxgh0st (a credential-stealing malware) and Tofsee (a multi-purpose botnet malware for spam, DDoS, and credential theft). Some IOCs tie into broader threat reports from sources like CISA (Cybersecurity and Infrastructure Security Agency) and threat intelligence platforms (e.g., ThreatFox, SOCRadar). Other Potential Links:\n - Metrosoft.com: Legitimate financial software site; no direct malice, but could be targeted in supply-chain attacks or impersonated (e.g., via similar domains).\n - Pr-cy.ru: SEO/analysis tool; high reputation (secure per Scam Detector), likely benign but could be abused for reconnaissance.\n - Legitimate clusters (e.g., plus.net subdomains like inmx-peh-010.plus.net): Email/MX servers; possibly used in spam relays or phishing (common in Androxgh0st).\n - Digicert/Microsoft URLs: Benign cert/update endpoints; may indicate malware checking for updates or using legit certs for evasion.", "modified": "2025-10-01T05:04:45.876000", "created": "2025-09-01T05:25:17.143000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/g21d6ab9bdfa94576a92c7f9de9fd763ca867d9d7c1454b1ab3d7af093394d579?theme=dark", "https://viz.greynoise.io/ip/analysis/f691c147-e4f0-48d9-b430-17b0faabc131" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 91, "FileHash-SHA1": 91, "FileHash-SHA256": 469, "URL": 19, "domain": 46, "hostname": 156 }, "indicator_count": 872, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b3efe23fecb18fbe444e6f", "name": "Copy of Jelenia G\u00f3ra ip: 217.153.104.197 Port 433 Outlook T-Mobile Polska S.A.", "description": "vT Graph, Miniuser (08.31.25)", "modified": "2025-09-30T06:02:47.467000", "created": "2025-08-31T06:46:58.381000", "tags": [ "entity", "targeturl" ], "references": [ "https://www.virustotal.com/graph/embed/g6fb03aef03ad4f55b8dada103eb085240b037503b46b4eb982d81f5b1343acb2?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 220, "URL": 40, "domain": 14, "hostname": 101 }, "indicator_count": 479, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "metrosoft.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "metrosoft.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780284808.8312018 }