{ "type": "Domain", "indicator": "systemd.be", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/systemd.be", "alexa": "http://www.alexa.com/siteinfo/systemd.be", "indicator": "systemd.be", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3870590624, "indicator": "systemd.be", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6659ea571eab262a3942e77c", "name": "system.img - Unidentified Android Ext4 filesystem pulled from my machine", "description": "Honestly I can't recall where I fished this out of, but I had stashed it on a cloud storage drive for later exploitation, which is what this is. At current, I don't have the slightest clue what it is or what it was doing on my computer. But with majority of the */bin/ files coming back as symlinks to */bin/toybox I'm assuming it's nothing that'd enhance my day to day life for the better. Standby for further analysis. At current these are just the SHA256's of the filesystem itself.", "modified": "2024-05-31T15:18:47.112000", "created": "2024-05-31T15:18:47.112000", "tags": [ "mntdevfb0", "mntdevhda1", "mntdevhda3", "mntdevkmem", "mntdevmem", "mntdevmmcblk0p1", "mntdevmmcblk0p3", "mntdevmtd0", "mntdevmtd2", "mntdevmtd4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1991, "domain": 70 }, "indicator_count": 2063, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "730 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66140ea725356bd028ab9f58", "name": "Dump from unbooted fresh Arch install", "description": "Found an interesting rust lib in a still chrooted fresh Arch install - Whether it's relevant is still to be determined. Still having issues with OTX not wanting to take actual files. Will wring this out a little more and repost with file hashes", "modified": "2024-04-08T15:35:03.223000", "created": "2024-04-08T15:35:03.223000", "tags": [ "poetratpython", "enum", "struct", "tuple", "cstylevariant", "tuplevariant", "structvariant", "empty", "singletonenum", "regularenum", "compressedenum", "rust", "sbvalue", "rusttype", "backcompat", "init", "valobj", "true class", "nonnull", "rawvec", "value", "unique", "sbvalue start", "logger", "rust type", "vecdeque", "btreeset", "btreemap", "hashmap", "hashset", "cell", "refmut", "refcell", "zerofield", "index", "discriminant", "firstfield", "valueprinter", "enumprovider", "wtf8buf", "file", "e402 import", "usrbinxwayland", "usrbincargo", "usrbingawk", "usrbinnvme", "usrbinqmake", "usrbinsqlite3", "usrbinusermod", "usrbinzsh", "usrlibxorg", "usrlib64xorg", "helper", "printbyrusttype", "call", "stdrefprovider", "false return", "true", "issuspicious", "bignumbers1", "bignumbers3", "sha1constants", "md5constants", "bignumbers0", "crc32table", "base64table", "bignumbers4", "rooter", "javadropper", "warp" ], "references": [ "rter", "rkit", "PoetRat_python", "rust_types.py", "silent_banker", "lldb_lookup.py", "lldb_providers.py", "lldb_commands", "gdm3-config-err-UQm6Ec", "gdb_providers.py", "gdb_load_rust_pretty_printers.py", "ldpreld", "gdb_lookup.py", "pre-f-boot.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 178, "FileHash-SHA1": 2, "hostname": 43 }, "indicator_count": 223, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "783 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "rter", "lldb_providers.py", "gdm3-config-err-UQm6Ec", "gdb_providers.py", "gdb_lookup.py", "rust_types.py", "silent_banker", "lldb_lookup.py", "PoetRat_python", "pre-f-boot.txt", "lldb_commands", "gdb_load_rust_pretty_printers.py", "ldpreld", "rkit" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6659ea571eab262a3942e77c", "name": "system.img - Unidentified Android Ext4 filesystem pulled from my machine", "description": "Honestly I can't recall where I fished this out of, but I had stashed it on a cloud storage drive for later exploitation, which is what this is. At current, I don't have the slightest clue what it is or what it was doing on my computer. But with majority of the */bin/ files coming back as symlinks to */bin/toybox I'm assuming it's nothing that'd enhance my day to day life for the better. Standby for further analysis. At current these are just the SHA256's of the filesystem itself.", "modified": "2024-05-31T15:18:47.112000", "created": "2024-05-31T15:18:47.112000", "tags": [ "mntdevfb0", "mntdevhda1", "mntdevhda3", "mntdevkmem", "mntdevmem", "mntdevmmcblk0p1", "mntdevmmcblk0p3", "mntdevmtd0", "mntdevmtd2", "mntdevmtd4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1991, "domain": 70 }, "indicator_count": 2063, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "730 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66140ea725356bd028ab9f58", "name": "Dump from unbooted fresh Arch install", "description": "Found an interesting rust lib in a still chrooted fresh Arch install - Whether it's relevant is still to be determined. Still having issues with OTX not wanting to take actual files. Will wring this out a little more and repost with file hashes", "modified": "2024-04-08T15:35:03.223000", "created": "2024-04-08T15:35:03.223000", "tags": [ "poetratpython", "enum", "struct", "tuple", "cstylevariant", "tuplevariant", "structvariant", "empty", "singletonenum", "regularenum", "compressedenum", "rust", "sbvalue", "rusttype", "backcompat", "init", "valobj", "true class", "nonnull", "rawvec", "value", "unique", "sbvalue start", "logger", "rust type", "vecdeque", "btreeset", "btreemap", "hashmap", "hashset", "cell", "refmut", "refcell", "zerofield", "index", "discriminant", "firstfield", "valueprinter", "enumprovider", "wtf8buf", "file", "e402 import", "usrbinxwayland", "usrbincargo", "usrbingawk", "usrbinnvme", "usrbinqmake", "usrbinsqlite3", "usrbinusermod", "usrbinzsh", "usrlibxorg", "usrlib64xorg", "helper", "printbyrusttype", "call", "stdrefprovider", "false return", "true", "issuspicious", "bignumbers1", "bignumbers3", "sha1constants", "md5constants", "bignumbers0", "crc32table", "base64table", "bignumbers4", "rooter", "javadropper", "warp" ], "references": [ "rter", "rkit", "PoetRat_python", "rust_types.py", "silent_banker", "lldb_lookup.py", "lldb_providers.py", "lldb_commands", "gdm3-config-err-UQm6Ec", "gdb_providers.py", "gdb_load_rust_pretty_printers.py", "ldpreld", "gdb_lookup.py", "pre-f-boot.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 178, "FileHash-SHA1": 2, "hostname": 43 }, "indicator_count": 223, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "783 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "systemd.be", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "systemd.be", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780250219.4454868 }