{ "type": "Domain", "indicator": "nod32.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/nod32.com", "alexa": "http://www.alexa.com/siteinfo/nod32.com", "indicator": "nod32.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2201434575, "indicator": "nod32.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69f47e886aac3dce3a958d27", "name": "2011: Malware Analysis Report", "description": "", "modified": "2026-05-01T10:20:56.666000", "created": "2026-05-01T10:20:56.666000", "tags": [], "references": [ "2011-03-11 - Trojan.Koredos Comes with an Unwelcomed Surprise.pdf", "2011-01-20 - Beschreibung des Virus Backdoor.Win32. Buterat.afj.pdf", "2011-03-08 - Worm-Win32-Yimfoca.A.pdf", "2011-03-02 - TDL4 and Glupteba- Piggyback PiggyBugs.pdf", "2011-04-26 - SpyEye Targets Opera, Google Chrome Users.pdf", "2011-03-28 - Microsoft Hunting Rustock Controllers.pdf", "2011-01-09 - Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce.pdf", "2011-04-19 - TDSS part 1- The x64 Dollar Question.pdf", "2011-04-16 - Troj-Sasfis-O.pdf", "2011-05-19 - Win32-Expiro.pdf", "2011-06-22 - Criminals gain control over Mac with BackDoor.Olyx.pdf", "2011-04-30 - BKA-Trojaner (Ransomware).pdf", "2011-06-29 - Inside a Back Door Attack.pdf", "2011-07-26 - SpyEye Trojan defeating online banking defenses.pdf", "2011-04-28 - Un observateur d\u2019\u00e9v\u00e9nements aveugle\u2026.pdf", "2011-07-08 - Trojan.Mayachok.2- ?????? ??????? ?????????? VBR-???????.pdf", "2011-07-14 - Cycbot- Ready to Ride.pdf", "2011-07-06 - Cybercriminals switch from MBR to NTFS.pdf", "2011-07-28 - Trojan Tricks Victims Into Transferring Funds.pdf", "2011-08-27 - Morto.A.pdf", "2011-01-30 - GpCode Ransomware 2010 Simple Analysis.pdf", "2011-08-03 - HTran and the Advanced Persistent Threat.pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading.pdf", "2011-09-09 - BIOS Threat is Showing up Again!.pdf", "2011-09-02 - ZeuS Gets Another Update.pdf", "2011-08-24 - Ice IX, the first crimeware based on the leaked ZeuS sources.pdf", "2011-09-13 - Mebromi- the first BIOS rootkit in the wild.pdf", "2011-08-04 - Analysis of ngrBot.pdf", "2011-09-14 - Ice IX- not cool at all.pdf", "2011-09-14 - Malware burrows deep into computer BIOS to escape AV.pdf", "2011-09-19 - Mebromi BIOS rootkit affecting Award BIOS (aka -BMW- virus).pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading22.pdf", "2011-09-21 - Sept 21 Greedy Shylock - financial malware.pdf", "2011-09-09 - Stuxnet Malware Analysis Paper.pdf", "2011-09-27 - Debugging Injected Code with IDA Pro.pdf", "2011-10-07 - Rustock samples and analysis links. Rustock.C, E, I, J and other variants.pdf", "2011-10-14 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-06 - ZeuS-in-the-Mobile \u2013 Facts and Theories.pdf", "2011-10-08 - Possible Governmental Backdoor Found (-Case R2D2-).pdf", "2011-10-17 - W32-Yunsip!tr.pws.pdf", "2011-10-06 - Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI).pdf", "2011-10-13 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-31 - The Significance of the -Nitro- Attacks.pdf", "2011-10-26 - Tsunami Backdoor Can Be Used for Denial of Service Attacks.pdf", "2011-12-20 - Analyzing CVE-2011-4369 \u2013 Part One.pdf", "2011-12-08 - The Sykipot Attacks.pdf", "2011-12-11 - Intro. To Reversing - W32Pinkslipbot.pdf", "Duqu Trojan Questions and Answers.pdf", "Palebot trojan.pdf", "HTran.pdf", "Ghost RAT- Many faces.pdf", "Operation Shady Rat.pdf", "Alleged APT Intrusion Set 1.php Group.pdf", "Stuxnet , Duqu - The Evolution of Drivers.pdf", "The RSA Hack.pdf", "The Nitro Attacks - Stealing secrets from the Chemical Industry.pdf", "Global_Energy_Cyberattacks_-_Night_Dragon_.pdf", "The LURID Downloader.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1031, "domain": 435, "CVE": 13, "FileHash-MD5": 155, "FileHash-SHA1": 8, "FileHash-SHA256": 234, "IPv4": 88, "email": 9, "hostname": 1031 }, "indicator_count": 3004, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "665ec0cfd110b0694c51fbe2", "name": "Eset - Dorkbot", "description": "Dorkbot a self-propagating program that can spread itself from one computer to another threatening to perform numerous f actions of a malicious hacker's choice on PC. Found on an updated windows machine. Hacker named machine, installed apple viewing software programs, partitioned 'zombie' machine. Network of compromised, sketchy remote transfer agents of a professional in the service industry. Serious impact on or companies impact on remote workers contracted by company in question due to the abrupt cessation of business of a recognized brand it's industry. Unfortunately, the documentation of this Eset programs behavior has been misplaced. From recall. this install identified and allowed threats, d. It was a weird see with the names eye experience. Incoming request/ Remote operators, disallowed many transactions and other basic use of software. Workers potentially working a database from individuals whose PII & PHI was leaked.", "modified": "2024-07-04T06:01:28.799000", "created": "2024-06-04T07:22:55.572000", "tags": [ "historical ssl", "referrer", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "csl computer", "gmbh dba", "contact phone", "domain status", "registrar url", "registrar whois", "contact email", "code", "united", "unknown", "aaaa", "as14061", "cname", "search", "emails", "dnssec", "showing", "win32", "title error", "passive dns", "open ports", "trojan", "body doctype", "html public", "w3cdtd html", "body", "dns replication", "domain", "lookups", "email", "name server", "slovensko", "tech contact", "valid", "admin contact", "a domains", "a li", "span h3", "header link", "option option", "united kingdom", "test", "april", "meta", "paris", "eset", "yara detections", "nod32", "amon", "internalname", "online payment", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "amz cf", "creation date", "record value", "expiration date", "name servers", "servers", "status", "next", "asnone united", "moved", "certificate", "ipv4", "urls", "files", "av detections", "ids detections", "alerts", "analysis date", "cf2a", "xaax04x00", "high", "dns reply", "noip domain", "et trojan", "createsuspended", "malware traffic", "dorkbot", "malware", "copy", "name verdict", "falcon sandbox", "windows nt", "appdata", "png image", "pattern match", "indicator", "ascii text", "rgba", "get collect", "vj98", "hybrid", "general", "local", "click", "strings", "path", "ms windows", "pe32", "intel", "microsoft asf", "pe32 executable", "database", "english", "installer", "template", "tue jun", "service", "crlf line", "url https", "http", "ip address", "related nids", "files location", "tip" ], "references": [ "bpp.eset.com", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin Dorkbot GeoIP Lookup to wipmania DNS Reply Sinkhole Microsoft NO-IP", "IDS Detections: Domain Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake", "High Priority Alerts: nids_malware_alert injection_runpe network_icmp dumped_buffer2 network_irc nolookup_communication", "High Priority Alerts: allocates_execute_remote_process persistence_autorun injection_createremotethread injection_modifies_memory", "High Priority Alerts: injection_write_memory injection_write_memory_exe modifies_proxy_wpad injection_ntsetcontextthread injection_resumethread dumped_buffer network_http nids_alert suspicious_tld allocates_rwx .", "IP\u2019s Contacted: 172.217.14.226 172.217.14.234 162.217.99.134 204.95.99.243 212.83.168.196 216.58.193.67 216.58.217.42 99.86.38.99", "Domains Contacted: n.jntbxduhz.ru n.yqqufklho.ru n.lotys.ru api.wipmania.com n.vbemnggcj.ru n.hmiblgoja.ru dns.msftncsi.com n.ezjhyxxbf.ru", "https://otx.alienvault.com/indicator/file/8ad6f89c763315bf59bc3619139f8478f6bcc57d902123c8b5c413f251ff8778", "Alerts: dead_host network_icmp nolookup_communication packer_polymorphic origin_langid peid_packer", "https://healthinsurancecompanion.com/affordable-health-insurance?Landing_Page=https://healthinsurancecompanion.com/affordable-health-insurance&SRC=iDr_E", "appleremotesupport.com | http://thickapple.net/index.php", "https://normalexchange.com/v/155e44b6-11dc-11e8-9dff-01407350b0f6/c/1e289258-e09c-11e5-bea8-021988c520a1/?clickid=9023100005531544085-201802-3", "https://asserts.turbovpn.co/web/images/download/icons/apple-icon.png", "https://appleid-verify.servecounterstrike.com/", "http://schoolgirl.uxxxporn.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": ", Win.Trojan.Agent-1286703", "display_name": ", Win.Trojan.Agent-1286703", "target": null }, { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Cosmu-1058", "display_name": "Win.Trojan.Cosmu-1058", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Finance", "Healthcare", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 758, "FileHash-SHA1": 478, "FileHash-SHA256": 2561, "URL": 8210, "domain": 2202, "hostname": 2760, "email": 22, "CVE": 3 }, "indicator_count": 16994, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "696 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "2011-03-11 - Trojan.Koredos Comes with an Unwelcomed Surprise.pdf", "https://normalexchange.com/v/155e44b6-11dc-11e8-9dff-01407350b0f6/c/1e289258-e09c-11e5-bea8-021988c520a1/?clickid=9023100005531544085-201802-3", "2011-01-20 - Beschreibung des Virus Backdoor.Win32. Buterat.afj.pdf", "Global_Energy_Cyberattacks_-_Night_Dragon_.pdf", "High Priority Alerts: nids_malware_alert injection_runpe network_icmp dumped_buffer2 network_irc nolookup_communication", "bpp.eset.com", "http://schoolgirl.uxxxporn.com", "2011-10-13 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-07-28 - Trojan Tricks Victims Into Transferring Funds.pdf", "2011-07-14 - Cycbot- Ready to Ride.pdf", "Ghost RAT- Many faces.pdf", "2011-04-28 - Un observateur d\u2019\u00e9v\u00e9nements aveugle\u2026.pdf", "2011-03-08 - Worm-Win32-Yimfoca.A.pdf", "2011-09-14 - Ice IX- not cool at all.pdf", "2011-04-16 - Troj-Sasfis-O.pdf", "https://healthinsurancecompanion.com/affordable-health-insurance?Landing_Page=https://healthinsurancecompanion.com/affordable-health-insurance&SRC=iDr_E", "The RSA Hack.pdf", "2011-08-03 - HTran and the Advanced Persistent Threat.pdf", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin Dorkbot GeoIP Lookup to wipmania DNS Reply Sinkhole Microsoft NO-IP", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading22.pdf", "2011-10-07 - Rustock samples and analysis links. Rustock.C, E, I, J and other variants.pdf", "2011-10-08 - Possible Governmental Backdoor Found (-Case R2D2-).pdf", "IDS Detections: Domain Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake", "2011-06-29 - Inside a Back Door Attack.pdf", "IP\u2019s Contacted: 172.217.14.226 172.217.14.234 162.217.99.134 204.95.99.243 212.83.168.196 216.58.193.67 216.58.217.42 99.86.38.99", "Duqu Trojan Questions and Answers.pdf", "2011-12-11 - Intro. To Reversing - W32Pinkslipbot.pdf", "2011-10-06 - Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI).pdf", "2011-08-27 - Morto.A.pdf", "HTran.pdf", "2011-01-30 - GpCode Ransomware 2010 Simple Analysis.pdf", "2011-09-13 - Mebromi- the first BIOS rootkit in the wild.pdf", "2011-09-14 - Malware burrows deep into computer BIOS to escape AV.pdf", "2011-09-09 - Stuxnet Malware Analysis Paper.pdf", "https://otx.alienvault.com/indicator/file/8ad6f89c763315bf59bc3619139f8478f6bcc57d902123c8b5c413f251ff8778", "Alleged APT Intrusion Set 1.php Group.pdf", "2011-10-31 - The Significance of the -Nitro- Attacks.pdf", "2011-12-20 - Analyzing CVE-2011-4369 \u2013 Part One.pdf", "Domains Contacted: n.jntbxduhz.ru n.yqqufklho.ru n.lotys.ru api.wipmania.com n.vbemnggcj.ru n.hmiblgoja.ru dns.msftncsi.com n.ezjhyxxbf.ru", "2011-09-09 - BIOS Threat is Showing up Again!.pdf", "Alerts: dead_host network_icmp nolookup_communication packer_polymorphic origin_langid peid_packer", "2011-03-02 - TDL4 and Glupteba- Piggyback PiggyBugs.pdf", "2011-03-28 - Microsoft Hunting Rustock Controllers.pdf", "2011-06-22 - Criminals gain control over Mac with BackDoor.Olyx.pdf", "2011-04-26 - SpyEye Targets Opera, Google Chrome Users.pdf", "2011-07-26 - SpyEye Trojan defeating online banking defenses.pdf", "2011-09-19 - Mebromi BIOS rootkit affecting Award BIOS (aka -BMW- virus).pdf", "2011-10-14 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "High Priority Alerts: allocates_execute_remote_process persistence_autorun injection_createremotethread injection_modifies_memory", "Stuxnet , Duqu - The Evolution of Drivers.pdf", "High Priority Alerts: injection_write_memory injection_write_memory_exe modifies_proxy_wpad injection_ntsetcontextthread injection_resumethread dumped_buffer network_http nids_alert suspicious_tld allocates_rwx .", "https://asserts.turbovpn.co/web/images/download/icons/apple-icon.png", "2011-01-09 - Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce.pdf", "The Nitro Attacks - Stealing secrets from the Chemical Industry.pdf", "2011-08-04 - Analysis of ngrBot.pdf", "2011-10-06 - ZeuS-in-the-Mobile \u2013 Facts and Theories.pdf", "2011-10-26 - Tsunami Backdoor Can Be Used for Denial of Service Attacks.pdf", "appleremotesupport.com | http://thickapple.net/index.php", "2011-10-17 - W32-Yunsip!tr.pws.pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading.pdf", "2011-08-24 - Ice IX, the first crimeware based on the leaked ZeuS sources.pdf", "2011-09-21 - Sept 21 Greedy Shylock - financial malware.pdf", "2011-07-06 - Cybercriminals switch from MBR to NTFS.pdf", "2011-09-27 - Debugging Injected Code with IDA Pro.pdf", "2011-05-19 - Win32-Expiro.pdf", "2011-12-08 - The Sykipot Attacks.pdf", "2011-04-30 - BKA-Trojaner (Ransomware).pdf", "Operation Shady Rat.pdf", "https://appleid-verify.servecounterstrike.com/", "2011-04-19 - TDSS part 1- The x64 Dollar Question.pdf", "2011-09-02 - ZeuS Gets Another Update.pdf", "Palebot trojan.pdf", "The LURID Downloader.pdf", "2011-07-08 - Trojan.Mayachok.2- ?????? ??????? ?????????? VBR-???????.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/dorkbot.du", "Win32:malware-gen", ", win.trojan.agent-1286703", "Win32:genmalicious-kag\\ [trj]", "Trojan:win32/zombie.a", "Win.trojan.cosmu-1058" ], "industries": [ "Finance", "Technology", "Healthcare", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69f47e886aac3dce3a958d27", "name": "2011: Malware Analysis Report", "description": "", "modified": "2026-05-01T10:20:56.666000", "created": "2026-05-01T10:20:56.666000", "tags": [], "references": [ "2011-03-11 - Trojan.Koredos Comes with an Unwelcomed Surprise.pdf", "2011-01-20 - Beschreibung des Virus Backdoor.Win32. Buterat.afj.pdf", "2011-03-08 - Worm-Win32-Yimfoca.A.pdf", "2011-03-02 - TDL4 and Glupteba- Piggyback PiggyBugs.pdf", "2011-04-26 - SpyEye Targets Opera, Google Chrome Users.pdf", "2011-03-28 - Microsoft Hunting Rustock Controllers.pdf", "2011-01-09 - Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce.pdf", "2011-04-19 - TDSS part 1- The x64 Dollar Question.pdf", "2011-04-16 - Troj-Sasfis-O.pdf", "2011-05-19 - Win32-Expiro.pdf", "2011-06-22 - Criminals gain control over Mac with BackDoor.Olyx.pdf", "2011-04-30 - BKA-Trojaner (Ransomware).pdf", "2011-06-29 - Inside a Back Door Attack.pdf", "2011-07-26 - SpyEye Trojan defeating online banking defenses.pdf", "2011-04-28 - Un observateur d\u2019\u00e9v\u00e9nements aveugle\u2026.pdf", "2011-07-08 - Trojan.Mayachok.2- ?????? ??????? ?????????? VBR-???????.pdf", "2011-07-14 - Cycbot- Ready to Ride.pdf", "2011-07-06 - Cybercriminals switch from MBR to NTFS.pdf", "2011-07-28 - Trojan Tricks Victims Into Transferring Funds.pdf", "2011-08-27 - Morto.A.pdf", "2011-01-30 - GpCode Ransomware 2010 Simple Analysis.pdf", "2011-08-03 - HTran and the Advanced Persistent Threat.pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading.pdf", "2011-09-09 - BIOS Threat is Showing up Again!.pdf", "2011-09-02 - ZeuS Gets Another Update.pdf", "2011-08-24 - Ice IX, the first crimeware based on the leaked ZeuS sources.pdf", "2011-09-13 - Mebromi- the first BIOS rootkit in the wild.pdf", "2011-08-04 - Analysis of ngrBot.pdf", "2011-09-14 - Ice IX- not cool at all.pdf", "2011-09-14 - Malware burrows deep into computer BIOS to escape AV.pdf", "2011-09-19 - Mebromi BIOS rootkit affecting Award BIOS (aka -BMW- virus).pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading22.pdf", "2011-09-21 - Sept 21 Greedy Shylock - financial malware.pdf", "2011-09-09 - Stuxnet Malware Analysis Paper.pdf", "2011-09-27 - Debugging Injected Code with IDA Pro.pdf", "2011-10-07 - Rustock samples and analysis links. Rustock.C, E, I, J and other variants.pdf", "2011-10-14 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-06 - ZeuS-in-the-Mobile \u2013 Facts and Theories.pdf", "2011-10-08 - Possible Governmental Backdoor Found (-Case R2D2-).pdf", "2011-10-17 - W32-Yunsip!tr.pws.pdf", "2011-10-06 - Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI).pdf", "2011-10-13 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-31 - The Significance of the -Nitro- Attacks.pdf", "2011-10-26 - Tsunami Backdoor Can Be Used for Denial of Service Attacks.pdf", "2011-12-20 - Analyzing CVE-2011-4369 \u2013 Part One.pdf", "2011-12-08 - The Sykipot Attacks.pdf", "2011-12-11 - Intro. To Reversing - W32Pinkslipbot.pdf", "Duqu Trojan Questions and Answers.pdf", "Palebot trojan.pdf", "HTran.pdf", "Ghost RAT- Many faces.pdf", "Operation Shady Rat.pdf", "Alleged APT Intrusion Set 1.php Group.pdf", "Stuxnet , Duqu - The Evolution of Drivers.pdf", "The RSA Hack.pdf", "The Nitro Attacks - Stealing secrets from the Chemical Industry.pdf", "Global_Energy_Cyberattacks_-_Night_Dragon_.pdf", "The LURID Downloader.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1031, "domain": 435, "CVE": 13, "FileHash-MD5": 155, "FileHash-SHA1": 8, "FileHash-SHA256": 234, "IPv4": 88, "email": 9, "hostname": 1031 }, "indicator_count": 3004, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "665ec0cfd110b0694c51fbe2", "name": "Eset - Dorkbot", "description": "Dorkbot a self-propagating program that can spread itself from one computer to another threatening to perform numerous f actions of a malicious hacker's choice on PC. Found on an updated windows machine. Hacker named machine, installed apple viewing software programs, partitioned 'zombie' machine. Network of compromised, sketchy remote transfer agents of a professional in the service industry. Serious impact on or companies impact on remote workers contracted by company in question due to the abrupt cessation of business of a recognized brand it's industry. Unfortunately, the documentation of this Eset programs behavior has been misplaced. From recall. this install identified and allowed threats, d. It was a weird see with the names eye experience. Incoming request/ Remote operators, disallowed many transactions and other basic use of software. Workers potentially working a database from individuals whose PII & PHI was leaked.", "modified": "2024-07-04T06:01:28.799000", "created": "2024-06-04T07:22:55.572000", "tags": [ "historical ssl", "referrer", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "csl computer", "gmbh dba", "contact phone", "domain status", "registrar url", "registrar whois", "contact email", "code", "united", "unknown", "aaaa", "as14061", "cname", "search", "emails", "dnssec", "showing", "win32", "title error", "passive dns", "open ports", "trojan", "body doctype", "html public", "w3cdtd html", "body", "dns replication", "domain", "lookups", "email", "name server", "slovensko", "tech contact", "valid", "admin contact", "a domains", "a li", "span h3", "header link", "option option", "united kingdom", "test", "april", "meta", "paris", "eset", "yara detections", "nod32", "amon", "internalname", "online payment", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "amz cf", "creation date", "record value", "expiration date", "name servers", "servers", "status", "next", "asnone united", "moved", "certificate", "ipv4", "urls", "files", "av detections", "ids detections", "alerts", "analysis date", "cf2a", "xaax04x00", "high", "dns reply", "noip domain", "et trojan", "createsuspended", "malware traffic", "dorkbot", "malware", "copy", "name verdict", "falcon sandbox", "windows nt", "appdata", "png image", "pattern match", "indicator", "ascii text", "rgba", "get collect", "vj98", "hybrid", "general", "local", "click", "strings", "path", "ms windows", "pe32", "intel", "microsoft asf", "pe32 executable", "database", "english", "installer", "template", "tue jun", "service", "crlf line", "url https", "http", "ip address", "related nids", "files location", "tip" ], "references": [ "bpp.eset.com", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin Dorkbot GeoIP Lookup to wipmania DNS Reply Sinkhole Microsoft NO-IP", "IDS Detections: Domain Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake", "High Priority Alerts: nids_malware_alert injection_runpe network_icmp dumped_buffer2 network_irc nolookup_communication", "High Priority Alerts: allocates_execute_remote_process persistence_autorun injection_createremotethread injection_modifies_memory", "High Priority Alerts: injection_write_memory injection_write_memory_exe modifies_proxy_wpad injection_ntsetcontextthread injection_resumethread dumped_buffer network_http nids_alert suspicious_tld allocates_rwx .", "IP\u2019s Contacted: 172.217.14.226 172.217.14.234 162.217.99.134 204.95.99.243 212.83.168.196 216.58.193.67 216.58.217.42 99.86.38.99", "Domains Contacted: n.jntbxduhz.ru n.yqqufklho.ru n.lotys.ru api.wipmania.com n.vbemnggcj.ru n.hmiblgoja.ru dns.msftncsi.com n.ezjhyxxbf.ru", "https://otx.alienvault.com/indicator/file/8ad6f89c763315bf59bc3619139f8478f6bcc57d902123c8b5c413f251ff8778", "Alerts: dead_host network_icmp nolookup_communication packer_polymorphic origin_langid peid_packer", "https://healthinsurancecompanion.com/affordable-health-insurance?Landing_Page=https://healthinsurancecompanion.com/affordable-health-insurance&SRC=iDr_E", "appleremotesupport.com | http://thickapple.net/index.php", "https://normalexchange.com/v/155e44b6-11dc-11e8-9dff-01407350b0f6/c/1e289258-e09c-11e5-bea8-021988c520a1/?clickid=9023100005531544085-201802-3", "https://asserts.turbovpn.co/web/images/download/icons/apple-icon.png", "https://appleid-verify.servecounterstrike.com/", "http://schoolgirl.uxxxporn.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": ", Win.Trojan.Agent-1286703", "display_name": ", Win.Trojan.Agent-1286703", "target": null }, { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Cosmu-1058", "display_name": "Win.Trojan.Cosmu-1058", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Finance", "Healthcare", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 758, "FileHash-SHA1": 478, "FileHash-SHA256": 2561, "URL": 8210, "domain": 2202, "hostname": 2760, "email": 22, "CVE": 3 }, "indicator_count": 16994, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "696 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "nod32.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "nod32.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780210742.818423 }