{ "type": "Domain", "indicator": "yturu.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/yturu.com", "alexa": "http://www.alexa.com/siteinfo/yturu.com", "indicator": "yturu.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3323168050, "indicator": "yturu.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "63a1c00e773e7c902b8dae7f", "name": "Malicious Glupteba botnet", "description": "The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from MikroTik and Netgear.\n\nIt's also an instance of an unusual malware that leverages blockchain as a mechanism for command-and-control (C2) since at least 2019, rendering its infrastructure resistant to takedown efforts as in the case of a traditional server.", "modified": "2022-12-20T14:00:46.988000", "created": "2022-12-20T14:00:46.988000", "tags": [ "recent sha256", "block explorer", "bitcoin explorer", "blockchain explorer", "transaction search", "bitcoin address", "ethereum address", "ether", "ethereum blockchain", "ethereum transaction", "ethereum unconfirmed transaction", "ethereum explorer", "etherscan", "home prices", "charts nfts", "buy more", "defi academy", "cash btc", "testnet bch", "testnet english", "espaol portugus", "pycc franais", "deutsch usd", "opreturn", "bitcoin", "utxo", "bitcoin core", "opreturn change", "utxo database", "ecdh address", "glupteba", "cyber threats", "malware", "research", "network", "socks proxy", "c server", "trend micro", "glupteba botnet", "mikrotik", "windows", "hkeyusers", "post request", "download", "verify", "enumerate", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", "https://www.trendmicro.com/en_us/research/19/i/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions.html", "https://www.blockchain.com/explorer/addresses/btc/1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 26, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 13, "domain": 62, "URL": 1, "CVE": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", "https://www.trendmicro.com/en_us/research/19/i/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions.html", "https://www.blockchain.com/explorer/addresses/btc/1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Glupteba" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "63a1c00e773e7c902b8dae7f", "name": "Malicious Glupteba botnet", "description": "The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from MikroTik and Netgear.\n\nIt's also an instance of an unusual malware that leverages blockchain as a mechanism for command-and-control (C2) since at least 2019, rendering its infrastructure resistant to takedown efforts as in the case of a traditional server.", "modified": "2022-12-20T14:00:46.988000", "created": "2022-12-20T14:00:46.988000", "tags": [ "recent sha256", "block explorer", "bitcoin explorer", "blockchain explorer", "transaction search", "bitcoin address", "ethereum address", "ether", "ethereum blockchain", "ethereum transaction", "ethereum unconfirmed transaction", "ethereum explorer", "etherscan", "home prices", "charts nfts", "buy more", "defi academy", "cash btc", "testnet bch", "testnet english", "espaol portugus", "pycc franais", "deutsch usd", "opreturn", "bitcoin", "utxo", "bitcoin core", "opreturn change", "utxo database", "ecdh address", "glupteba", "cyber threats", "malware", "research", "network", "socks proxy", "c server", "trend micro", "glupteba botnet", "mikrotik", "windows", "hkeyusers", "post request", "download", "verify", "enumerate", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", "https://www.trendmicro.com/en_us/research/19/i/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions.html", "https://www.blockchain.com/explorer/addresses/btc/1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 26, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 13, "domain": 62, "URL": 1, "CVE": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "yturu.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "yturu.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780247156.0930061 }