{ "type": "Domain", "indicator": "tigo.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/tigo.com", "alexa": "http://www.alexa.com/siteinfo/tigo.com", "indicator": "tigo.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2943329869, "indicator": "tigo.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "69d48d3b4900e932be011875", "name": "Free Automated Malware Analysis Service - Falcon Sandbox -", "description": "", "modified": "2026-05-07T04:07:52.917000", "created": "2026-04-07T04:51:07.162000", "tags": [ "ip address", "december", "c2 server", "famous chollima", "hostwinds", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "threat level", "ansi", "date", "pcap", "pcap processing", "report domain", "report", "sha256", "filepath", "runtime process", "path", "suspicious", "hostile", "hybrid", "accept", "close", "click", "hosts", "malicious", "general", "local", "factory", "strings", "contact", "united", "flag", "germany germany", "enom", "gmt flag", "server", "name server", "contacted hosts", "hybrid analysis", "api key", "vetting process", "please note", "please", "prefetch8 ansi", "show process", "hash seen", "ck id", "win64", "gecko", "mitre att", "comspec", "april", "refresh", "model", "mozi", "window", "dest" ], "references": [ "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02", "https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6", "https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 84, "domain": 72, "URL": 112, "FileHash-MD5": 94, "FileHash-SHA1": 68, "email": 2, "hostname": 91, "SSLCertFingerprint": 12 }, "indicator_count": 535, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d48d3b4cb631f407faf565", "name": "Free Automated Malware Analysis Service - Falcon Sandbox -", "description": "", "modified": "2026-05-07T04:07:52.917000", "created": "2026-04-07T04:51:07.591000", "tags": [ "ip address", "december", "c2 server", "famous chollima", "hostwinds", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "threat level", "ansi", "date", "pcap", "pcap processing", "report domain", "report", "sha256", "filepath", "runtime process", "path", "suspicious", "hostile", "hybrid", "accept", "close", "click", "hosts", "malicious", "general", "local", "factory", "strings", "contact", "united", "flag", "germany germany", "enom", "gmt flag", "server", "name server", "contacted hosts", "hybrid analysis", "api key", "vetting process", "please note", "please", "prefetch8 ansi", "show process", "hash seen", "ck id", "win64", "gecko", "mitre att", "comspec", "april", "refresh", "model", "mozi", "window", "dest" ], "references": [ "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02", "https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6", "https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 84, "domain": 72, "URL": 112, "FileHash-MD5": 94, "FileHash-SHA1": 68, "email": 2, "hostname": 91, "SSLCertFingerprint": 12 }, "indicator_count": 535, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d48d3cfab80e8a75ef85c1", "name": "Free Automated Malware Analysis Service - Falcon Sandbox -", "description": "", "modified": "2026-05-07T04:07:52.917000", "created": "2026-04-07T04:51:08.017000", "tags": [ "ip address", "december", "c2 server", "famous chollima", "hostwinds", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "threat level", "ansi", "date", "pcap", "pcap processing", "report domain", "report", "sha256", "filepath", "runtime process", "path", "suspicious", "hostile", "hybrid", "accept", "close", "click", "hosts", "malicious", "general", "local", "factory", "strings", "contact", "united", "flag", "germany germany", "enom", "gmt flag", "server", "name server", "contacted hosts", "hybrid analysis", "api key", "vetting process", "please note", "please", "prefetch8 ansi", "show process", "hash seen", "ck id", "win64", "gecko", "mitre att", "comspec", "april", "refresh", "model", "mozi", "window", "dest" ], "references": [ "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02", "https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6", "https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 84, "domain": 72, "URL": 113, "FileHash-MD5": 94, "FileHash-SHA1": 68, "email": 2, "hostname": 91, "SSLCertFingerprint": 12 }, "indicator_count": 536, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65336ac2b48ca82aeb55aeed", "name": "Woodynet.net,Id3.net and me.", "description": "The saga continues - But without invoking the jinx I'll focus on the data: Woodynet.net and Id3.net have been my (notso)friendly unoptoutable-dns-resolvers i'm assuming since all of this kicked off now nearing over 1.5+ years ago. I was finally able to dump my iPhone12 in which I had had since this all started and with that really gain some leg and breathing room. But, I'm still being pumped malicious software in the form of ISO's, linux packages, Windows Updates, and so on. And these are the nexus right here. I was able to net a solid bounty from Hybrid-Analysis including 15+ trojans, about 10 different backdoors, and a slew of other collateral that honestly surprised me as Criminalip and OTX weren't wanting to speak the same language in terms of IOC translations from them to the pulse. I'm trying in vain to find the beacon(s) or whatever they're using to keep persistence.", "modified": "2024-02-14T21:43:43.324000", "created": "2023-10-21T06:08:02.798000", "tags": [ "ip lookup", "port check", "vulnerability scanner", "attack surface", "cyber threat intelligence", "cti", "asm", "domain", "exploit", "phishing", "ip address", "united", "criminal", "historical", "information", "ai spera", "search engine", "ip search", "english english", "franais", "contact", "china", "ip location", "ip owner", "internet", "ip locator", "remember", "dp ip", "ip checker", "lookup", "strong", "summary", "ip information", "pricing login", "score", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "runtime data", "okserver", "date", "ffffff", "plugin", "path", "stop", "mask", "accept", "click", "prop", "error", "template", "class", "core", "span", "body", "suspicious", "back", "cluster", "null", "form", "zbot", "bounce", "this", "linear", "window", "ticker", "tick", "import", "orbit", "config", "main", "android", "cookie", "trident", "vidc", "hybrid", "close", "hosts", "general", "local", "mozilla", "strings", "podcast", "team", "june", "criminal ip", "engine", "resource", "dropped file", "pattern match", "script", "noscript", "connectivity", "bare metal", "iframe", "enterprise", "discord", "twitter", "facebook", "meta", "media", "story", "tools", "tokyo", "rocket", "fullscreen", "next", "small", "bare", "font", "helvetica", "arial", "tbody", "dnssec", "woodynet", "paris", "hong", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://www.criminalip.io/asset/report/69.166.14.38", "https://www.criminalip.io/asset/report/114.215.222.125", "https://dnschecker.org/ip-location.php?ip=31.204.146.148", "https://www.criminalip.io/domain/report?scan_id=8544746", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/5efec3f6b03bcb74f200310b", "https://www.criminalip.io/images/search/domain/category/icon_page_redirections.svg", "https://www.criminalip.io/domain/report?scan_id=8544687", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/653366aac5f632cbbf0f0000", "https://hybrid-analysis.com/sample/020fe56e2d49ead60b67a1e20b43ee0846c493c7edb3118b34c5c964fc131794/6533667318fa4c29320ec174", "https://hybrid-analysis.com/sample/2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unknown", "display_name": "Unknown", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 268, "hostname": 50, "domain": 61, "FileHash-MD5": 112, "FileHash-SHA1": 110, "FileHash-SHA256": 110, "email": 9 }, "indicator_count": 720, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708cbaff7263ec6e06baa7", "name": "http://www.ftpftpftp.com/yk.exe", "description": "", "modified": "2023-12-06T15:01:14.367000", "created": "2023-12-06T15:01:14.367000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 177, "FileHash-MD5": 62, "FileHash-SHA1": 47, "URL": 439, "domain": 111, "hostname": 112, "CVE": 1 }, "indicator_count": 949, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708cb730ef54f76f707779", "name": "http://www.ftpftpftp.com/yk.exe", "description": "", "modified": "2023-12-06T15:01:11.538000", "created": "2023-12-06T15:01:11.538000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 168, "FileHash-MD5": 62, "FileHash-SHA1": 47, "URL": 371, "domain": 95, "hostname": 89, "CVE": 1 }, "indicator_count": 833, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708a8f3203633312147d1e", "name": "www.virgilio. various Malacious tld's", "description": "", "modified": "2023-12-06T14:51:59.166000", "created": "2023-12-06T14:51:59.166000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 238, "URL": 818, "domain": 177, "hostname": 336, "email": 6, "FileHash-MD5": 79, "FileHash-SHA1": 47 }, "indicator_count": 1702, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62688d358d6c324c85aa0842", "name": "http://www.ftpftpftp.com/yk.exe", "description": "", "modified": "2022-05-27T00:00:15.468000", "created": "2022-04-27T00:24:21.317000", "tags": [], "references": [ "https://hybrid-analysis.com/sample/e970d327564392cac3cedaa816dfd4a0906405b653394de9894bf65590c3e944/626706d6f95729098b37ac9d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 371, "hostname": 89, "domain": 95, "FileHash-SHA256": 168, "CVE": 1, "FileHash-MD5": 62, "FileHash-SHA1": 47 }, "indicator_count": 833, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1466 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62688d3680f604c08644d1f5", "name": "http://www.ftpftpftp.com/yk.exe", "description": "", "modified": "2022-05-27T00:00:15.468000", "created": "2022-04-27T00:24:22.553000", "tags": [], "references": [ "https://hybrid-analysis.com/sample/e970d327564392cac3cedaa816dfd4a0906405b653394de9894bf65590c3e944/626706d6f95729098b37ac9d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 439, "hostname": 112, "domain": 111, "FileHash-SHA256": 177, "CVE": 1, "FileHash-MD5": 62, "FileHash-SHA1": 47 }, "indicator_count": 949, "is_author": false, "is_subscribing": null, "subscriber_count": 396, "modified_text": "1466 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62498485afc3d6ebba050b8b", "name": "www.virgilio. various Malacious tld's", "description": "", "modified": "2022-05-03T00:01:26.398000", "created": "2022-04-03T11:27:01.556000", "tags": [ "virgillo" ], "references": [ "https://hybrid-analysis.com/sample/c914c5cc1371bbc7d2285bbbeec77a94a0d1586c73d3a3f95b48766f1452cca8/6248c9f1f90df91459524ac8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 336, "domain": 177, "URL": 818, "FileHash-SHA256": 238, "CVE": 1, "FileHash-MD5": 79, "FileHash-SHA1": 47, "email": 6 }, "indicator_count": 1702, "is_author": false, "is_subscribing": null, "subscriber_count": 398, "modified_text": "1490 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://dnschecker.org/ip-location.php?ip=31.204.146.148", "https://www.criminalip.io/domain/report?scan_id=8544746", "https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/5efec3f6b03bcb74f200310b", "https://www.criminalip.io/domain/report?scan_id=8544687", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/653366aac5f632cbbf0f0000", "https://hybrid-analysis.com/sample/020fe56e2d49ead60b67a1e20b43ee0846c493c7edb3118b34c5c964fc131794/6533667318fa4c29320ec174", "https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564", "https://www.criminalip.io/asset/report/69.166.14.38", "https://hybrid-analysis.com/sample/c914c5cc1371bbc7d2285bbbeec77a94a0d1586c73d3a3f95b48766f1452cca8/6248c9f1f90df91459524ac8", "https://hybrid-analysis.com/sample/2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe", "https://hybrid-analysis.com/sample/e970d327564392cac3cedaa816dfd4a0906405b653394de9894bf65590c3e944/626706d6f95729098b37ac9d", "https://www.criminalip.io/images/search/domain/category/icon_page_redirections.svg", "https://www.criminalip.io/asset/report/114.215.222.125" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Unknown" ], "industries": [ "Individuals" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "69d48d3b4900e932be011875", "name": "Free Automated Malware Analysis Service - Falcon Sandbox -", "description": "", "modified": "2026-05-07T04:07:52.917000", "created": "2026-04-07T04:51:07.162000", "tags": [ "ip address", "december", "c2 server", "famous chollima", "hostwinds", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "threat level", "ansi", "date", "pcap", "pcap processing", "report domain", "report", "sha256", "filepath", "runtime process", "path", "suspicious", "hostile", "hybrid", "accept", "close", "click", "hosts", "malicious", "general", "local", "factory", "strings", "contact", "united", "flag", "germany germany", "enom", "gmt flag", "server", "name server", "contacted hosts", "hybrid analysis", "api key", "vetting process", "please note", "please", "prefetch8 ansi", "show process", "hash seen", "ck id", "win64", "gecko", "mitre att", "comspec", "april", "refresh", "model", "mozi", "window", "dest" ], "references": [ "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02", "https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6", "https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 84, "domain": 72, "URL": 112, "FileHash-MD5": 94, "FileHash-SHA1": 68, "email": 2, "hostname": 91, "SSLCertFingerprint": 12 }, "indicator_count": 535, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d48d3b4cb631f407faf565", "name": "Free Automated Malware Analysis Service - Falcon Sandbox -", "description": "", "modified": "2026-05-07T04:07:52.917000", "created": "2026-04-07T04:51:07.591000", "tags": [ "ip address", "december", "c2 server", "famous chollima", "hostwinds", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "threat level", "ansi", "date", "pcap", "pcap processing", "report domain", "report", "sha256", "filepath", "runtime process", "path", "suspicious", "hostile", "hybrid", "accept", "close", "click", "hosts", "malicious", "general", "local", "factory", "strings", "contact", "united", "flag", "germany germany", "enom", "gmt flag", "server", "name server", "contacted hosts", "hybrid analysis", "api key", "vetting process", "please note", "please", "prefetch8 ansi", "show process", "hash seen", "ck id", "win64", "gecko", "mitre att", "comspec", "april", "refresh", "model", "mozi", "window", "dest" ], "references": [ "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02", "https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6", "https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 84, "domain": 72, "URL": 112, "FileHash-MD5": 94, "FileHash-SHA1": 68, "email": 2, "hostname": 91, "SSLCertFingerprint": 12 }, "indicator_count": 535, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d48d3cfab80e8a75ef85c1", "name": "Free Automated Malware Analysis Service - Falcon Sandbox -", "description": "", "modified": "2026-05-07T04:07:52.917000", "created": "2026-04-07T04:51:08.017000", "tags": [ "ip address", "december", "c2 server", "famous chollima", "hostwinds", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "threat level", "ansi", "date", "pcap", "pcap processing", "report domain", "report", "sha256", "filepath", "runtime process", "path", "suspicious", "hostile", "hybrid", "accept", "close", "click", "hosts", "malicious", "general", "local", "factory", "strings", "contact", "united", "flag", "germany germany", "enom", "gmt flag", "server", "name server", "contacted hosts", "hybrid analysis", "api key", "vetting process", "please note", "please", "prefetch8 ansi", "show process", "hash seen", "ck id", "win64", "gecko", "mitre att", "comspec", "april", "refresh", "model", "mozi", "window", "dest" ], "references": [ "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02", "https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6", "https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 84, "domain": 72, "URL": 113, "FileHash-MD5": 94, "FileHash-SHA1": 68, "email": 2, "hostname": 91, "SSLCertFingerprint": 12 }, "indicator_count": 536, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65336ac2b48ca82aeb55aeed", "name": "Woodynet.net,Id3.net and me.", "description": "The saga continues - But without invoking the jinx I'll focus on the data: Woodynet.net and Id3.net have been my (notso)friendly unoptoutable-dns-resolvers i'm assuming since all of this kicked off now nearing over 1.5+ years ago. I was finally able to dump my iPhone12 in which I had had since this all started and with that really gain some leg and breathing room. But, I'm still being pumped malicious software in the form of ISO's, linux packages, Windows Updates, and so on. And these are the nexus right here. I was able to net a solid bounty from Hybrid-Analysis including 15+ trojans, about 10 different backdoors, and a slew of other collateral that honestly surprised me as Criminalip and OTX weren't wanting to speak the same language in terms of IOC translations from them to the pulse. I'm trying in vain to find the beacon(s) or whatever they're using to keep persistence.", "modified": "2024-02-14T21:43:43.324000", "created": "2023-10-21T06:08:02.798000", "tags": [ "ip lookup", "port check", "vulnerability scanner", "attack surface", "cyber threat intelligence", "cti", "asm", "domain", "exploit", "phishing", "ip address", "united", "criminal", "historical", "information", "ai spera", "search engine", "ip search", "english english", "franais", "contact", "china", "ip location", "ip owner", "internet", "ip locator", "remember", "dp ip", "ip checker", "lookup", "strong", "summary", "ip information", "pricing login", "score", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "runtime data", "okserver", "date", "ffffff", "plugin", "path", "stop", "mask", "accept", "click", "prop", "error", "template", "class", "core", "span", "body", "suspicious", "back", "cluster", "null", "form", "zbot", "bounce", "this", "linear", "window", "ticker", "tick", "import", "orbit", "config", "main", "android", "cookie", "trident", "vidc", "hybrid", "close", "hosts", "general", "local", "mozilla", "strings", "podcast", "team", "june", "criminal ip", "engine", "resource", "dropped file", "pattern match", "script", "noscript", "connectivity", "bare metal", "iframe", "enterprise", "discord", "twitter", "facebook", "meta", "media", "story", "tools", "tokyo", "rocket", "fullscreen", "next", "small", "bare", "font", "helvetica", "arial", "tbody", "dnssec", "woodynet", "paris", "hong", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://www.criminalip.io/asset/report/69.166.14.38", "https://www.criminalip.io/asset/report/114.215.222.125", "https://dnschecker.org/ip-location.php?ip=31.204.146.148", "https://www.criminalip.io/domain/report?scan_id=8544746", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/5efec3f6b03bcb74f200310b", "https://www.criminalip.io/images/search/domain/category/icon_page_redirections.svg", "https://www.criminalip.io/domain/report?scan_id=8544687", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/653366aac5f632cbbf0f0000", "https://hybrid-analysis.com/sample/020fe56e2d49ead60b67a1e20b43ee0846c493c7edb3118b34c5c964fc131794/6533667318fa4c29320ec174", "https://hybrid-analysis.com/sample/2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unknown", "display_name": "Unknown", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 268, "hostname": 50, "domain": 61, "FileHash-MD5": 112, "FileHash-SHA1": 110, "FileHash-SHA256": 110, "email": 9 }, "indicator_count": 720, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708cbaff7263ec6e06baa7", "name": "http://www.ftpftpftp.com/yk.exe", "description": "", "modified": "2023-12-06T15:01:14.367000", "created": "2023-12-06T15:01:14.367000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 177, "FileHash-MD5": 62, "FileHash-SHA1": 47, "URL": 439, "domain": 111, "hostname": 112, "CVE": 1 }, "indicator_count": 949, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708cb730ef54f76f707779", "name": "http://www.ftpftpftp.com/yk.exe", "description": "", "modified": "2023-12-06T15:01:11.538000", "created": "2023-12-06T15:01:11.538000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 168, "FileHash-MD5": 62, "FileHash-SHA1": 47, "URL": 371, "domain": 95, "hostname": 89, "CVE": 1 }, "indicator_count": 833, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708a8f3203633312147d1e", "name": "www.virgilio. various Malacious tld's", "description": "", "modified": "2023-12-06T14:51:59.166000", "created": "2023-12-06T14:51:59.166000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 238, "URL": 818, "domain": 177, "hostname": 336, "email": 6, "FileHash-MD5": 79, "FileHash-SHA1": 47 }, "indicator_count": 1702, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62688d358d6c324c85aa0842", "name": "http://www.ftpftpftp.com/yk.exe", "description": "", "modified": "2022-05-27T00:00:15.468000", "created": "2022-04-27T00:24:21.317000", "tags": [], "references": [ "https://hybrid-analysis.com/sample/e970d327564392cac3cedaa816dfd4a0906405b653394de9894bf65590c3e944/626706d6f95729098b37ac9d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 371, "hostname": 89, "domain": 95, "FileHash-SHA256": 168, "CVE": 1, "FileHash-MD5": 62, "FileHash-SHA1": 47 }, "indicator_count": 833, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1466 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62688d3680f604c08644d1f5", "name": "http://www.ftpftpftp.com/yk.exe", "description": "", "modified": "2022-05-27T00:00:15.468000", "created": "2022-04-27T00:24:22.553000", "tags": [], "references": [ "https://hybrid-analysis.com/sample/e970d327564392cac3cedaa816dfd4a0906405b653394de9894bf65590c3e944/626706d6f95729098b37ac9d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 439, "hostname": 112, "domain": 111, "FileHash-SHA256": 177, "CVE": 1, "FileHash-MD5": 62, "FileHash-SHA1": 47 }, "indicator_count": 949, "is_author": false, "is_subscribing": null, "subscriber_count": 396, "modified_text": "1466 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "tigo.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "tigo.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780283429.6483912 }