{ "type": "Domain", "indicator": "tieredaccess.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/tieredaccess.com", "alexa": "http://www.alexa.com/siteinfo/tieredaccess.com", "indicator": "tieredaccess.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2670339946, "indicator": "tieredaccess.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6839003a3028827e1ebbfb1a", "name": "Tracking LummaC2 Infrastructure with Cats", "description": "The US Department of Justice and Microsoft disrupted LummaC2 infostealing-malware through domain seizures, taking down over 2,300 associated domains. The FBI and CISA released an advisory detailing LummaC2's tactics and indicators of compromise, including 114 domains. Analysis of these domains revealed common registration patterns, such as using Eastern European names and specific mail server hostnames. Notably, several domains featured an 'About Cats' landing page, with 58 additional domains sharing this characteristic and having high risk scores. These domains are suspected of distributing LummaC2 and other malware strains. Despite the takedown efforts, 41 of these domains remain active, highlighting the need for continued vigilance against LummaC2 infrastructure.", "modified": "2025-07-09T08:05:10.295000", "created": "2025-05-30T00:47:54.159000", "tags": [ "domain seizures", "threat intelligence", "lummac2", "infrastructure tracking", "risk scoring", "infostealing malware", "cat-themed domains", "malware distribution" ], "references": [ "https://www.domaintools.com/resources/blog/tracking-lummac2-infrastructure-with-cats" ], "public": 1, "adversary": "LummaC2", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LummaC2", "display_name": "LummaC2", "target": null } ], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 63, "domain": 47 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 386608, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fdc02a184d8d0f3370b069", "name": "ripe.arin.enom.cpanel.cpcalendar.iana.networksolutions.02050.webdisk.webmail.", "description": "interesting. 2000-06-05T14:09:35Z\nDNSSEC: unsigned\nDomain Name: GOTOCFR.COM\nDomain Status: https://icann.org/epp#clientTransferProhibited\nName Server: NS37.WORLDNIC.COM\nName Server: NS38.WORLDNIC.COM\nRegistrant City: 3f16518cc21288a8\nRegistrant Country: US\nRegistrant Email: a07a5df6ca9e975bs@gotocfr.com\nRegistrant Fax Ext: 3432650ec337c945\nRegistrant Fax: b3c25287c0f8ed51\nRegistrant Name: 3432650ec337c945\nRegistrant Organization: 3432650ec337c945\nRegistrant Phone Ext: 3432650ec337c945\nRegistrant Phone: a8108981ed146828\nRegistrant Postal Code: 22ba98fa33e9a7d1\nRegistrant State/Province: 2f0a6dc5401e8a9a\nRegistrant Street: c4d735c293d4e708\nRegistrar Abuse Contact Email: domain.operations@web.com\nRegistrar Abuse Contact Phone: +1.8777228662\nRegistrar IANA ID: 2\nRegistrar URL: http://networksolutions.com\nRegistrar WHOIS Server: whois.networksolutions.com\nRegistrar: Network Solutions, LLC\nRegistry Domain ID: 28566423_DOMAIN_COM-VRSN\nUpdated Date: 2026-04-06T06:20:14Z", "modified": "2026-05-09T07:30:09.404000", "created": "2026-05-08T10:51:22.795000", "tags": [ "msie", "chrome", "passive dns", "date", "urls", "fabricating and", "type", "media type", "gmt content", "certificate", "title", "body", "encrypt", "graph summary", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "code", "email", "server", "admin country", "registrant name", "and repair", "expiration date", "registry domain", "registrar iana", "creation date", "admin city", "key algorithm", "registrar abuse", "dnssec", "domain name", "status", "city", "us registrant", "registrant fax", "marshfield ssl", "common name", "issued", "supporte", "charter", "llc united", "statesunited", "new london", "i20100 may", "diesel", "ripe ncc", "ripe network", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "cidr", "ripe database", "orgabuseemail", "orgabusehandle", "nethandle", "thumbprint", "handle", "address range", "network name", "allocation type", "allocated pa", "whois server", "organization", "please note", "ip address", "google", "redacted for", "privacy admin", "privacy", "privacy tech", "street", "stateprovince", "form", "tech" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 45, "IPv4": 32, "URL": 932, "domain": 51, "email": 9, "hostname": 186, "FileHash-SHA256": 43, "FileHash-MD5": 3, "CIDR": 3 }, "indicator_count": 1304, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fdc02bea1e4ec923b01688", "name": "ripe.arin.enom.cpanel.cpcalendar.iana.networksolutions.02050.webdisk.webmail.", "description": "interesting. 2000-06-05T14:09:35Z\nDNSSEC: unsigned\nDomain Name: GOTOCFR.COM\nDomain Status: https://icann.org/epp#clientTransferProhibited\nName Server: NS37.WORLDNIC.COM\nName Server: NS38.WORLDNIC.COM\nRegistrant City: 3f16518cc21288a8\nRegistrant Country: US\nRegistrant Email: a07a5df6ca9e975bs@gotocfr.com\nRegistrant Fax Ext: 3432650ec337c945\nRegistrant Fax: b3c25287c0f8ed51\nRegistrant Name: 3432650ec337c945\nRegistrant Organization: 3432650ec337c945\nRegistrant Phone Ext: 3432650ec337c945\nRegistrant Phone: a8108981ed146828\nRegistrant Postal Code: 22ba98fa33e9a7d1\nRegistrant State/Province: 2f0a6dc5401e8a9a\nRegistrant Street: c4d735c293d4e708\nRegistrar Abuse Contact Email: domain.operations@web.com\nRegistrar Abuse Contact Phone: +1.8777228662\nRegistrar IANA ID: 2\nRegistrar URL: http://networksolutions.com\nRegistrar WHOIS Server: whois.networksolutions.com\nRegistrar: Network Solutions, LLC\nRegistry Domain ID: 28566423_DOMAIN_COM-VRSN\nUpdated Date: 2026-04-06T06:20:14Z", "modified": "2026-05-09T03:07:39.308000", "created": "2026-05-08T10:51:23.184000", "tags": [ "msie", "chrome", "passive dns", "date", "urls", "fabricating and", "type", "media type", "gmt content", "certificate", "title", "body", "encrypt", "graph summary", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "code", "email", "server", "admin country", "registrant name", "and repair", "expiration date", "registry domain", "registrar iana", "creation date", "admin city", "key algorithm", "registrar abuse", "dnssec", "domain name", "status", "city", "us registrant", "registrant fax", "marshfield ssl", "common name", "issued", "supporte", "charter", "llc united", "statesunited", "new london", "i20100 may", "diesel", "ripe ncc", "ripe network", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "cidr", "ripe database", "orgabuseemail", "orgabusehandle", "nethandle", "thumbprint", "handle", "address range", "network name", "allocation type", "allocated pa", "whois server", "organization", "please note", "ip address", "google", "redacted for", "privacy admin", "privacy", "privacy tech", "street", "stateprovince", "form", "tech" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 236, "IPv4": 315, "URL": 932, "domain": 1040, "email": 65, "hostname": 1049, "FileHash-SHA256": 960, "FileHash-MD5": 301, "CIDR": 39, "IPv6": 68, "CVE": 890, "SSLCertFingerprint": 16 }, "indicator_count": 5911, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683d4350bde5afe49b274f13", "name": "Tracking LummaC2 Infrastructure with Cats", "description": "", "modified": "2025-06-29T00:01:54.552000", "created": "2025-06-02T06:23:12.204000", "tags": [ "domain seizures", "threat intelligence", "lummac2", "infrastructure tracking", "risk scoring", "infostealing malware", "cat-themed domains", "malware distribution" ], "references": [ "https://www.domaintools.com/resources/blog/tracking-lummac2-infrastructure-with-cats" ], "public": 1, "adversary": "LummaC2", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LummaC2", "display_name": "LummaC2", "target": null } ], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": "6839003a3028827e1ebbfb1a", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 63, "URL": 1, "domain": 53, "hostname": 5 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "337 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683e8e4f37d4c4661d8afce4", "name": "IOC - Tracking LummaC2 Infrastructure with Cats", "description": "", "modified": "2025-06-29T00:01:54.552000", "created": "2025-06-03T05:55:27.051000", "tags": [ "domain seizures", "threat intelligence", "lummac2", "infrastructure tracking", "risk scoring", "infostealing malware", "cat-themed domains", "malware distribution" ], "references": [ "https://www.domaintools.com/resources/blog/tracking-lummac2-infrastructure-with-cats" ], "public": 1, "adversary": "LummaC2", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LummaC2", "display_name": "LummaC2", "target": null } ], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": "6839003a3028827e1ebbfb1a", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 63, "URL": 1, "domain": 53, "hostname": 5 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "337 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67035385a884405e783f9a7e", "name": "Mirai_Botnet_Malware | Healthcare \u00bb savethemalesdenver.com |", "description": "Impacting multiple Colorado medical facilities and educational institutions and patients. || Malware Families\nBackdoor:Linux/Mirai.B\nELF:Mirai-BZ\\ [Trj]\nMirai\nMirai_Botnet_Malware\nTrojan:Win32/Zombie.A\nTrojanClicker:Win32/Frosparf\nTrojanDownloader:Win32/Fosniw\nUnix.Trojan.Mirai-6976991-0\nAd", "modified": "2024-11-06T01:02:24.390000", "created": "2024-10-07T03:20:37.224000", "tags": [ "canada unknown", "redacted for", "as25825", "all scoreblue", "passive dns", "ipv4", "reverse dns", "next", "for privacy", "cname", "united states", "nxdomain", "ns nxdomain", "united", "as21928", "south korea", "as9318 sk", "taiwan as3462", "as701 verizon", "search", "maxage apt", "minage apt", "maxsize apt", "malware", "as44273 host", "creation date", "status", "showing", "record value", "certificate", "date", "urls", "overview ip", "address", "related nids", "files location", "flag united", "domain", "files related", "intel", "ms windows", "users", "pe32", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "trojan", "write", "registrar", "pulse submit", "url analysis", "files", "msie", "chrome", "rdds service", "record", "registrant", "admin", "tech contact", "name servers", "email please", "moved", "trojanproxy", "virtool", "as1221", "aaaa", "asnone united", "show", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "script urls", "gmt path", "fedora", "open ports", "nginx http", "server", "a domains", "gmt content", "set cookie", "gmt etag", "accept", "expiration date", "backdoor", "mirai", "scan endpoints", "all search", "otx scoreblue", "hostname", "verdict", "unknown", "new pulse", "loveland", "america asn", "Generic36.ABKD", "domains", "location canada", "as32133", "files ip", "address domain", "path max", "age86400 set", "cookie", "type", "entries", "script domains", "downloader", "body", "servers", "emails", "gmt max", "title", "meta", "as20940", "as16625 akamai", "west domains", "as4230 claro", "copy", "sabey", "contacted" ], "references": [ "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "Domains Contacted: ntp.ubuntu.com", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Taiwan", "Philippines", "India", "Italy", "Germany", "Netherlands" ], "malware_families": [ { "id": "ELF:Mirai-BZ\\ [Trj]", "display_name": "ELF:Mirai-BZ\\ [Trj]", "target": null }, { "id": "Mirai_Botnet_Malware", "display_name": "Mirai_Botnet_Malware", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Unix.Trojan.Mirai-6976991-0", "display_name": "Unix.Trojan.Mirai-6976991-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TrojanDownloader:Win32/Fosniw", "display_name": "TrojanDownloader:Win32/Fosniw", "target": "/malware/TrojanDownloader:Win32/Fosniw" }, { "id": "TrojanClicker:Win32/Frosparf", "display_name": "TrojanClicker:Win32/Frosparf", "target": "/malware/TrojanClicker:Win32/Frosparf" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Legal", "Healthcare", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1230, "email": 16, "hostname": 1560, "URL": 3400, "FileHash-SHA256": 1064, "FileHash-MD5": 544, "FileHash-SHA1": 496, "CVE": 1 }, "indicator_count": 8311, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ea4f775d2013a53baee718", "name": "Anonymizer \u2022 Proxy", "description": "Anonymizer \u2022 Proxy AS29789 Reflected Networks Inc\nMALICIOUS IP", "modified": "2023-09-25T18:02:52.389000", "created": "2023-08-26T19:16:07.377000", "tags": [ "whois record", "threat roundup", "ssl certificate", "october", "december", "january", "whois whois", "threat round", "copy", "historical ssl", "agenttesla", "number", "label reflected", "registry arin", "country us", "continent na", "algorithm", "full name", "data", "v3 serial", "cus cndigicert", "tls hybrid", "ecc sha384", "ca1 odigicert", "inc validity", "networks", "whois lookup", "netrange", "nethandle", "net66", "net660000", "refle2", "main st", "city", "postalcode", "android", "win32 exe", "ms word", "document", "javascript", "text", "type name", "zip hub", "verisign", "redacted for", "server", "whois database", "privacy", "whois", "privacy admin", "privacy tech", "icann whois", "form", "date", "code", "tech", "omg freesites", "key algorithm", "ec oid", "key identifier", "subject key", "first", "info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 157, "hostname": 105, "domain": 150, "URL": 77, "FileHash-MD5": 52, "FileHash-SHA1": 55, "CIDR": 3, "email": 5 }, "indicator_count": 604, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "979 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c7e551e3ebe780779b5203", "name": "MAR-10324784-1.v1: FiveHands Ransomware | CISA", "description": "The US Department of Homeland Security (DHS) is distributing a report on cyber-security, as well as providing guidance on how to protect against malware and other malicious activity, using the Traffic Light Protocol (TLP).", "modified": "2022-08-07T00:05:43.824000", "created": "2022-07-08T08:05:37.937000", "tags": [ "typebuilder", "sombrat", "fivehands", "zusy.375932", "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "intptr", "public", "uint32", "outnull", "uint16", "parameter", "mandatory", "position", "type", "int64", "class", "powershell", "info", "shellcode", "void", "error", "stop", "magic", "twitter", "write", "first", "verify", "powersploit", "next", "copy", "done", "null", "main" ], "references": [ "https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-126b" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TypeBuilder", "display_name": "TypeBuilder", "target": null }, { "id": "SombRAT", "display_name": "SombRAT", "target": null }, { "id": "FiveHands", "display_name": "FiveHands", "target": null }, { "id": "Zusy.375932", "display_name": "Zusy.375932", "target": null }, { "id": "Red Alert Ransomware", "display_name": "Red Alert Ransomware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cyberasmi", "id": "169715", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 74, "FileHash-SHA1": 19, "FileHash-SHA256": 19, "YARA": 1, "domain": 3, "hostname": 4 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "1394 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "620229549eea745af7c7950c", "name": "FiveHands Ransomware", "description": "", "modified": "2022-02-08T08:27:00.493000", "created": "2022-02-08T08:27:00.493000", "tags": [], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FiveHands", "display_name": "FiveHands", "target": null }, { "id": "SombRAT", "display_name": "SombRAT", "target": null } ], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": "6094255546e0772048abb016", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "natof6654", "id": "179854", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "domain": 3, "hostname": 4, "FileHash-MD5": 74, "FileHash-SHA256": 18, "FileHash-SHA1": 18, "YARA": 1 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1573 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62022825401112d3a9dbd62b", "name": "FiveHands", "description": "", "modified": "2022-02-08T08:21:57.353000", "created": "2022-02-08T08:21:57.353000", "tags": [], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FiveHands", "display_name": "FiveHands", "target": null }, { "id": "SombRAT", "display_name": "SombRAT", "target": null } ], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": "6094255546e0772048abb016", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "natof6654", "id": "179854", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "domain": 3, "hostname": 4, "FileHash-MD5": 74, "FileHash-SHA256": 18, "FileHash-SHA1": 18, "YARA": 1 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1573 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-126b", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "https://www.domaintools.com/resources/blog/tracking-lummac2-infrastructure-with-cats", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc.", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "Domains Contacted: ntp.ubuntu.com", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html" ], "related": { "alienvault": { "adversary": [ "LummaC2" ], "malware_families": [ "Lummac2" ], "industries": [] }, "other": { "adversary": [ "LummaC2" ], "malware_families": [ "Mirai", "Zusy.375932", "Red alert ransomware", "Lummac2", "Fivehands", "Trojanclicker:win32/frosparf", "Sombrat", "Mirai_botnet_malware", "Elf:mirai-bz\\ [trj]", "Unix.trojan.mirai-6976991-0", "Typebuilder", "Trojan:win32/zombie.a", "Backdoor:linux/mirai.b", "Trojandownloader:win32/fosniw" ], "industries": [ "Healthcare", "Legal", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6839003a3028827e1ebbfb1a", "name": "Tracking LummaC2 Infrastructure with Cats", "description": "The US Department of Justice and Microsoft disrupted LummaC2 infostealing-malware through domain seizures, taking down over 2,300 associated domains. The FBI and CISA released an advisory detailing LummaC2's tactics and indicators of compromise, including 114 domains. Analysis of these domains revealed common registration patterns, such as using Eastern European names and specific mail server hostnames. Notably, several domains featured an 'About Cats' landing page, with 58 additional domains sharing this characteristic and having high risk scores. These domains are suspected of distributing LummaC2 and other malware strains. Despite the takedown efforts, 41 of these domains remain active, highlighting the need for continued vigilance against LummaC2 infrastructure.", "modified": "2025-07-09T08:05:10.295000", "created": "2025-05-30T00:47:54.159000", "tags": [ "domain seizures", "threat intelligence", "lummac2", "infrastructure tracking", "risk scoring", "infostealing malware", "cat-themed domains", "malware distribution" ], "references": [ "https://www.domaintools.com/resources/blog/tracking-lummac2-infrastructure-with-cats" ], "public": 1, "adversary": "LummaC2", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LummaC2", "display_name": "LummaC2", "target": null } ], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 63, "domain": 47 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 386608, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fdc02a184d8d0f3370b069", "name": "ripe.arin.enom.cpanel.cpcalendar.iana.networksolutions.02050.webdisk.webmail.", "description": "interesting. 2000-06-05T14:09:35Z\nDNSSEC: unsigned\nDomain Name: GOTOCFR.COM\nDomain Status: https://icann.org/epp#clientTransferProhibited\nName Server: NS37.WORLDNIC.COM\nName Server: NS38.WORLDNIC.COM\nRegistrant City: 3f16518cc21288a8\nRegistrant Country: US\nRegistrant Email: a07a5df6ca9e975bs@gotocfr.com\nRegistrant Fax Ext: 3432650ec337c945\nRegistrant Fax: b3c25287c0f8ed51\nRegistrant Name: 3432650ec337c945\nRegistrant Organization: 3432650ec337c945\nRegistrant Phone Ext: 3432650ec337c945\nRegistrant Phone: a8108981ed146828\nRegistrant Postal Code: 22ba98fa33e9a7d1\nRegistrant State/Province: 2f0a6dc5401e8a9a\nRegistrant Street: c4d735c293d4e708\nRegistrar Abuse Contact Email: domain.operations@web.com\nRegistrar Abuse Contact Phone: +1.8777228662\nRegistrar IANA ID: 2\nRegistrar URL: http://networksolutions.com\nRegistrar WHOIS Server: whois.networksolutions.com\nRegistrar: Network Solutions, LLC\nRegistry Domain ID: 28566423_DOMAIN_COM-VRSN\nUpdated Date: 2026-04-06T06:20:14Z", "modified": "2026-05-09T07:30:09.404000", "created": "2026-05-08T10:51:22.795000", "tags": [ "msie", "chrome", "passive dns", "date", "urls", "fabricating and", "type", "media type", "gmt content", "certificate", "title", "body", "encrypt", "graph summary", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "code", "email", "server", "admin country", "registrant name", "and repair", "expiration date", "registry domain", "registrar iana", "creation date", "admin city", "key algorithm", "registrar abuse", "dnssec", "domain name", "status", "city", "us registrant", "registrant fax", "marshfield ssl", "common name", "issued", "supporte", "charter", "llc united", "statesunited", "new london", "i20100 may", "diesel", "ripe ncc", "ripe network", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "cidr", "ripe database", "orgabuseemail", "orgabusehandle", "nethandle", "thumbprint", "handle", "address range", "network name", "allocation type", "allocated pa", "whois server", "organization", "please note", "ip address", "google", "redacted for", "privacy admin", "privacy", "privacy tech", "street", "stateprovince", "form", "tech" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 45, "IPv4": 32, "URL": 932, "domain": 51, "email": 9, "hostname": 186, "FileHash-SHA256": 43, "FileHash-MD5": 3, "CIDR": 3 }, "indicator_count": 1304, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fdc02bea1e4ec923b01688", "name": "ripe.arin.enom.cpanel.cpcalendar.iana.networksolutions.02050.webdisk.webmail.", "description": "interesting. 2000-06-05T14:09:35Z\nDNSSEC: unsigned\nDomain Name: GOTOCFR.COM\nDomain Status: https://icann.org/epp#clientTransferProhibited\nName Server: NS37.WORLDNIC.COM\nName Server: NS38.WORLDNIC.COM\nRegistrant City: 3f16518cc21288a8\nRegistrant Country: US\nRegistrant Email: a07a5df6ca9e975bs@gotocfr.com\nRegistrant Fax Ext: 3432650ec337c945\nRegistrant Fax: b3c25287c0f8ed51\nRegistrant Name: 3432650ec337c945\nRegistrant Organization: 3432650ec337c945\nRegistrant Phone Ext: 3432650ec337c945\nRegistrant Phone: a8108981ed146828\nRegistrant Postal Code: 22ba98fa33e9a7d1\nRegistrant State/Province: 2f0a6dc5401e8a9a\nRegistrant Street: c4d735c293d4e708\nRegistrar Abuse Contact Email: domain.operations@web.com\nRegistrar Abuse Contact Phone: +1.8777228662\nRegistrar IANA ID: 2\nRegistrar URL: http://networksolutions.com\nRegistrar WHOIS Server: whois.networksolutions.com\nRegistrar: Network Solutions, LLC\nRegistry Domain ID: 28566423_DOMAIN_COM-VRSN\nUpdated Date: 2026-04-06T06:20:14Z", "modified": "2026-05-09T03:07:39.308000", "created": "2026-05-08T10:51:23.184000", "tags": [ "msie", "chrome", "passive dns", "date", "urls", "fabricating and", "type", "media type", "gmt content", "certificate", "title", "body", "encrypt", "graph summary", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "code", "email", "server", "admin country", "registrant name", "and repair", "expiration date", "registry domain", "registrar iana", "creation date", "admin city", "key algorithm", "registrar abuse", "dnssec", "domain name", "status", "city", "us registrant", "registrant fax", "marshfield ssl", "common name", "issued", "supporte", "charter", "llc united", "statesunited", "new london", "i20100 may", "diesel", "ripe ncc", "ripe network", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "cidr", "ripe database", "orgabuseemail", "orgabusehandle", "nethandle", "thumbprint", "handle", "address range", "network name", "allocation type", "allocated pa", "whois server", "organization", "please note", "ip address", "google", "redacted for", "privacy admin", "privacy", "privacy tech", "street", "stateprovince", "form", "tech" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 236, "IPv4": 315, "URL": 932, "domain": 1040, "email": 65, "hostname": 1049, "FileHash-SHA256": 960, "FileHash-MD5": 301, "CIDR": 39, "IPv6": 68, "CVE": 890, "SSLCertFingerprint": 16 }, "indicator_count": 5911, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683d4350bde5afe49b274f13", "name": "Tracking LummaC2 Infrastructure with Cats", "description": "", "modified": "2025-06-29T00:01:54.552000", "created": "2025-06-02T06:23:12.204000", "tags": [ "domain seizures", "threat intelligence", "lummac2", "infrastructure tracking", "risk scoring", "infostealing malware", "cat-themed domains", "malware distribution" ], "references": [ "https://www.domaintools.com/resources/blog/tracking-lummac2-infrastructure-with-cats" ], "public": 1, "adversary": "LummaC2", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LummaC2", "display_name": "LummaC2", "target": null } ], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": "6839003a3028827e1ebbfb1a", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 63, "URL": 1, "domain": 53, "hostname": 5 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "337 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683e8e4f37d4c4661d8afce4", "name": "IOC - Tracking LummaC2 Infrastructure with Cats", "description": "", "modified": "2025-06-29T00:01:54.552000", "created": "2025-06-03T05:55:27.051000", "tags": [ "domain seizures", "threat intelligence", "lummac2", "infrastructure tracking", "risk scoring", "infostealing malware", "cat-themed domains", "malware distribution" ], "references": [ "https://www.domaintools.com/resources/blog/tracking-lummac2-infrastructure-with-cats" ], "public": 1, "adversary": "LummaC2", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LummaC2", "display_name": "LummaC2", "target": null } ], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": "6839003a3028827e1ebbfb1a", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 63, "URL": 1, "domain": 53, "hostname": 5 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "337 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67035385a884405e783f9a7e", "name": "Mirai_Botnet_Malware | Healthcare \u00bb savethemalesdenver.com |", "description": "Impacting multiple Colorado medical facilities and educational institutions and patients. || Malware Families\nBackdoor:Linux/Mirai.B\nELF:Mirai-BZ\\ [Trj]\nMirai\nMirai_Botnet_Malware\nTrojan:Win32/Zombie.A\nTrojanClicker:Win32/Frosparf\nTrojanDownloader:Win32/Fosniw\nUnix.Trojan.Mirai-6976991-0\nAd", "modified": "2024-11-06T01:02:24.390000", "created": "2024-10-07T03:20:37.224000", "tags": [ "canada unknown", "redacted for", "as25825", "all scoreblue", "passive dns", "ipv4", "reverse dns", "next", "for privacy", "cname", "united states", "nxdomain", "ns nxdomain", "united", "as21928", "south korea", "as9318 sk", "taiwan as3462", "as701 verizon", "search", "maxage apt", "minage apt", "maxsize apt", "malware", "as44273 host", "creation date", "status", "showing", "record value", "certificate", "date", "urls", "overview ip", "address", "related nids", "files location", "flag united", "domain", "files related", "intel", "ms windows", "users", "pe32", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "trojan", "write", "registrar", "pulse submit", "url analysis", "files", "msie", "chrome", "rdds service", "record", "registrant", "admin", "tech contact", "name servers", "email please", "moved", "trojanproxy", "virtool", "as1221", "aaaa", "asnone united", "show", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "script urls", "gmt path", "fedora", "open ports", "nginx http", "server", "a domains", "gmt content", "set cookie", "gmt etag", "accept", "expiration date", "backdoor", "mirai", "scan endpoints", "all search", "otx scoreblue", "hostname", "verdict", "unknown", "new pulse", "loveland", "america asn", "Generic36.ABKD", "domains", "location canada", "as32133", "files ip", "address domain", "path max", "age86400 set", "cookie", "type", "entries", "script domains", "downloader", "body", "servers", "emails", "gmt max", "title", "meta", "as20940", "as16625 akamai", "west domains", "as4230 claro", "copy", "sabey", "contacted" ], "references": [ "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "Domains Contacted: ntp.ubuntu.com", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Taiwan", "Philippines", "India", "Italy", "Germany", "Netherlands" ], "malware_families": [ { "id": "ELF:Mirai-BZ\\ [Trj]", "display_name": "ELF:Mirai-BZ\\ [Trj]", "target": null }, { "id": "Mirai_Botnet_Malware", "display_name": "Mirai_Botnet_Malware", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Unix.Trojan.Mirai-6976991-0", "display_name": "Unix.Trojan.Mirai-6976991-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TrojanDownloader:Win32/Fosniw", "display_name": "TrojanDownloader:Win32/Fosniw", "target": "/malware/TrojanDownloader:Win32/Fosniw" }, { "id": "TrojanClicker:Win32/Frosparf", "display_name": "TrojanClicker:Win32/Frosparf", "target": "/malware/TrojanClicker:Win32/Frosparf" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Legal", "Healthcare", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1230, "email": 16, "hostname": 1560, "URL": 3400, "FileHash-SHA256": 1064, "FileHash-MD5": 544, "FileHash-SHA1": 496, "CVE": 1 }, "indicator_count": 8311, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ea4f775d2013a53baee718", "name": "Anonymizer \u2022 Proxy", "description": "Anonymizer \u2022 Proxy AS29789 Reflected Networks Inc\nMALICIOUS IP", "modified": "2023-09-25T18:02:52.389000", "created": "2023-08-26T19:16:07.377000", "tags": [ "whois record", "threat roundup", "ssl certificate", "october", "december", "january", "whois whois", "threat round", "copy", "historical ssl", "agenttesla", "number", "label reflected", "registry arin", "country us", "continent na", "algorithm", "full name", "data", "v3 serial", "cus cndigicert", "tls hybrid", "ecc sha384", "ca1 odigicert", "inc validity", "networks", "whois lookup", "netrange", "nethandle", "net66", "net660000", "refle2", "main st", "city", "postalcode", "android", "win32 exe", "ms word", "document", "javascript", "text", "type name", "zip hub", "verisign", "redacted for", "server", "whois database", "privacy", "whois", "privacy admin", "privacy tech", "icann whois", "form", "date", "code", "tech", "omg freesites", "key algorithm", "ec oid", "key identifier", "subject key", "first", "info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 157, "hostname": 105, "domain": 150, "URL": 77, "FileHash-MD5": 52, "FileHash-SHA1": 55, "CIDR": 3, "email": 5 }, "indicator_count": 604, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "979 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c7e551e3ebe780779b5203", "name": "MAR-10324784-1.v1: FiveHands Ransomware | CISA", "description": "The US Department of Homeland Security (DHS) is distributing a report on cyber-security, as well as providing guidance on how to protect against malware and other malicious activity, using the Traffic Light Protocol (TLP).", "modified": "2022-08-07T00:05:43.824000", "created": "2022-07-08T08:05:37.937000", "tags": [ "typebuilder", "sombrat", "fivehands", "zusy.375932", "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "intptr", "public", "uint32", "outnull", "uint16", "parameter", "mandatory", "position", "type", "int64", "class", "powershell", "info", "shellcode", "void", "error", "stop", "magic", "twitter", "write", "first", "verify", "powersploit", "next", "copy", "done", "null", "main" ], "references": [ "https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-126b" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TypeBuilder", "display_name": "TypeBuilder", "target": null }, { "id": "SombRAT", "display_name": "SombRAT", "target": null }, { "id": "FiveHands", "display_name": "FiveHands", "target": null }, { "id": "Zusy.375932", "display_name": "Zusy.375932", "target": null }, { "id": "Red Alert Ransomware", "display_name": "Red Alert Ransomware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cyberasmi", "id": "169715", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 74, "FileHash-SHA1": 19, "FileHash-SHA256": 19, "YARA": 1, "domain": 3, "hostname": 4 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "1394 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "620229549eea745af7c7950c", "name": "FiveHands Ransomware", "description": "", "modified": "2022-02-08T08:27:00.493000", "created": "2022-02-08T08:27:00.493000", "tags": [], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FiveHands", "display_name": "FiveHands", "target": null }, { "id": "SombRAT", "display_name": "SombRAT", "target": null } ], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": "6094255546e0772048abb016", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "natof6654", "id": "179854", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "domain": 3, "hostname": 4, "FileHash-MD5": 74, "FileHash-SHA256": 18, "FileHash-SHA1": 18, "YARA": 1 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1573 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62022825401112d3a9dbd62b", "name": "FiveHands", "description": "", "modified": "2022-02-08T08:21:57.353000", "created": "2022-02-08T08:21:57.353000", "tags": [], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FiveHands", "display_name": "FiveHands", "target": null }, { "id": "SombRAT", "display_name": "SombRAT", "target": null } ], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": "6094255546e0772048abb016", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "natof6654", "id": "179854", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "domain": 3, "hostname": 4, "FileHash-MD5": 74, "FileHash-SHA256": 18, "FileHash-SHA1": 18, "YARA": 1 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1573 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "tieredaccess.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "tieredaccess.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780284391.729393 }