IOC Radar
DomainMediumSignal 40/100

freeav.com

Location
CuraçaoCuraçao
First Seen
Oct 5, 2022
Last Seen
May 1, 2026
Oct 5
First Seen
1360d ago
May 1
Last Seen
56d ago
7
Reports
source reports
40%
Confidence
medium
Found in 7 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
40%
Signal Score
40 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

72 techniques

Feed Intelligence Summary

7 reports40% confidence
7
Source reports
40%
Confidence score
Category tags
aaaaabuseacademic institutionsacceptaccept texthtmlaccess controlaccess ta0006account discoveryaccount hijackingaccount profilingaccount securityaccount takeoveracintactive relatedactive scanactive scanningadded activeaddressage86400 setagentagent teslaalbertaalbertandpalertsalexaalexa topalienvault_ransomwareall rightsall scoreblueameranalysis dateanalysis ob0001analysis ob0002analytics naanguillaappdataappleapr poisoningarizona statusartemisarubaascii textasiaasyncratattackaustraliaav detectionsaylo premiumazorultbackdoorbad actorbad reputationbankbank securitybarbadosbehavbinary filebinderbiosblacklist httpbodybody lengthbotname httpbotnetbotnet activitybotnet campaignbrontokbrute forcebrute force attackbruter cncbusiness impersonationc2ca validcanadacanada unknowncarries http referercheckschinacisco umbrellacivil servicesck idck idsck techniquesclasscleanerclickclick-based attackcloud infrastructurecobalt strikecodecode executioncode injectioncolibri loadercollections ipcomcastcommandcommand & controlcommand and controlcommand executioncommunication protocolcommunication technologiesconduitcontactcontacted urlscontent lengthcontent typecontrol servercontrol ta0011cookiecopycopy md5copy sha1copy sha256corecosta ricacountrycrashcreation datecredential accesscredential brute forcecredential harvestingcredential stuffingcredential theftcryptocryptocurrencycryptocurrency threatscryptojackingcuraçaodahua backdoor attemptdatadata accessdata collectiondata copyingdata encryptiondata exfiltrationdata store exposuredata transferdcerpc protocolddosdefense evasiondeletedelphidetection listdetections nonedgadistributed attacksdlldns attackdnssecdockdomaindomainsdos executabledownldrdroppeddropperdynamicdynamicloadereducationeducational resourceseducational serviceseducational technologyelectronic health recordsemailemailsemotetencryptencryptionenergyenergy distributionenigmaenomentityentriesentries peenv crawlererroret toreuropeeurope/asiaexecutable fileexitexpiration dateexpiry dateexploitexploitation activityextortionfalcon sandboxfareitffssfilefilesfiles locationfinal urlfinancefinancial institutionfinancial servicesfirstflag unitedfor privacyformforumsfoundfound metafraudfromgamaredongeckogeneral fullgenericgeneric malwaregeneric windosgermanyget httpget nagetpostgobrut servicegoldbackdoorgovernment technologygroup earthhandleheadershealth care and social assistancehealth information technologyhealthcare information systemsheurhighhigher educationhistorical sslhive ransomwarehong konghospital managementhosthostnamehostname addhostname enumerationhours agohtml documenthtml infohttphttp attackhttp brute forcehttp responsehttp scannerhybridiana registraricann whoisicmpv4 protocolidentity & access exploitationids detectionsiframeimpact ta0040indicatorinfoinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjectioninjection activityinno setupinput validation bypassinteliobitiociocsiosiot securityipv4it infrastructurejfifjpeg imagek-12 educationkey algorithmkey identifierkey infokeygenkgs0kgso activitykhtmlkls0klso activityknown torkorplugl4ke.aff3ct.216lazaruslearnlesslinux x8664livelocallogoslokibotlowfimalicious activitymalicious downloadmalicious hostmalicious linksmalicious sitemalicious softwaremalvertisingmalwaremalware distributionmalware droppermalware infectionmalware sitemarkmonitor incmarkusmass collectionmedia centermedical servicesmediummemory patternmetametadata analysismetromexicomile highmilfsmillionmisc attackmitre attmobile carriersmobile networksmobile threatmodule loadmonitoringmovedms windowsmsiemtb yaranamename redactedname servername serversname stringsname tacticsname verdictnanocore ratnetherlandsnetworknetwork enumerationnetwork reconnaissancenetwork scanningnetwork traffic analysisnextnext associatednircmdnjratnode trafficnone filenorth americanortonnumbernymaimob0007 impactob0012 fileoc0006 httpoccamyoceaniaoil & gasopen threatopenurl coperating system securitypacked executablepanmappassive dnspasswordpassword attackspastepathpath maxpath traversalpatient carepattern domainspattern matchpe32 installerphilippinesphishingphishing attackphishing sitepolandponypornpost httppower generationpower systemspresent augpresent julpresent junpresent marpresent novpresent octpresent sepprimary requestprimary rootprocess injectionprocess oc0003process32nextwpsexecpublic administrationpublic infrastructurepublic policypulsepulse pulsespulse submitpulsespulses nonepulses urlpushqakbotqbotqq vqqpassquasarquery timeramnitransomransomexxransomwarercmprcmp abrcmp kelownardap databasereadread creconnaissancerecord keepingrecord valueredline stealerregistry domainregsvr32regulatory agenciesrelated nidsrelated pulsesrelated tagsrelicremcosremcos trojanremote accessremote servicesrenewable energyreport spamreports norequestrequest emailresearchedresolved ipsresource hijackingresource pathrole titlerostpayrticonrussiaryuksafe sitesamplesscams & fraudscan endpointsscript urlssearchsecrisksecurity operationssecurity policyserverserversserviceservice scanserviceloginserving ipshowshowingsigning casimdasint maarten (dutch part)sitesizeskynetslcc2slovakiasmlensocial engineeringsocial media securitysoftware developmentsoftware exploitationsouth koreaspamspawnsspringshellssl certificatestatusstatus codestcasteg iconsstringssubject keysubject publicsummarysuspswrortsystem disruptionsystem information discoverysystem oc0001t1003t1005t1016t1021t1021.001t1027t1030t1040t1041t1045t1053t1055t1057t1059t1059.001t1059.003t1060t1068t1071t1071.001t1078t1082t1083t1105t1110t1110.001t1110.002t1110.003t1110.004t1112t1113t1119t1124t1129t1133t1143t1189t1190t1192t1203t1204t1204.001t1204.002t1480t1486t1490t1496t1499.001t1499.002t1499.003t1547t1553t1560t1562t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1567.001t1569.002t1583t1587.001t1589t1589.001t1590.001t1595t1595.001t1595.002t1595.003ta0007 commandta0009 commandtag countteamtechtelecom servicestelecommunicationstelustextthreatthreat actorthreat intelligencethreat levelthreat preventionthreat rounduptiggretitletitle addedtitle pagetld counttls snitls/ssl crawlertlsv1tor nodetotaltrackers googletrinidad and tobagotrojantrojan malwaretrojandroppertrojanspytsara brashearstwittertype indicatortype mimetypeualbertaubuntuudp a83f8110ukraineunauthorized accessunionunitedunited kingdomunited statesunruyunsafeupatreupdate dateurlsurls httpurls httpsursnifus registrantuser executionuss cusvwusvwuv3 serialvalue dnssecvendovirgin islands, u.s.virutvmwarevmware httpvt graphvulnerability scanwacatacwatchweb application attackweb application exploitationweb securityweb trafficwhoiswhois databasewhois privacywhois recordwhois whoiswin32 exewin32 malwarewin32qqpass aprwindirwindows malwarewindows ntwininet c0005wmiwormwritex509v3 keyxtratyarayara detectionsyara: predator_the_thiefyoutubezbotzpevdo

Activity Timeline

1 total obs
May 1May 1

Threat Activity Heatmap

· Peak: 2026-05-01
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain **freeav.com**, registered in Curaçao, has emerged as a significant indicator of compromise (IOC) in the cybersecurity landscape. First observed on October

Threat ScoreMedium Risk
40
SIGNAL
Signal Score
40%
Confidence
7
Reports
First seenOct 5, 2022
Last seenMay 1, 2026

VirusTotal

Not checked

WHOIS

registrar
MarkMonitor Inc.
domain rank
-1
raw
Creation Date: 1999-03-26T05:00:00+0000 Creation Date: 1999-03-26T05:00:00Z DNSSEC: unsigned Domain Name: FREEAV.COM Domain Name: freeav.com Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: EDNS109.ULTRADNS.BIZ Name Server: EDNS109.ULTRADNS.COM Name Server: EDNS109.ULTRADNS.NET Name Server: EDNS109.ULTRADNS.ORG Name Server: edns109.ultradns.biz Name Server: edns109.ultradns.com Name Server: edns109.ultradns.net Name Server: edns109.ultradns.org Registrant Country: US Registrant Email: 40fbc665a614d95es@ Registrant Organization: a88facab3ee3e272 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.2086851750 Registrar IANA ID: 292 Registrar Registration Expiration Date: 2026-03-26T00:00:00+0000 Registrar URL: http://www.markmonitor.com Registrar WHOIS Server: whois.markmonitor.com Registrar: MarkMonitor Inc. Registrar: MarkMonitor, Inc. Registry Domain ID: 4747532_DOMAIN_COM-VRSN Registry Expiry Date: 2026-03-26T04:00:00Z Updated Date: 2024-02-23T09:04:58+0000 Updated Date: 2024-02-23T09:04:58Z
references
admin2.6cv25r3l.sbs, 6cv25r3l.sbs, Network Related [ATT&CK ID T1566] Possible high-risk domain detected details Domain: "admin2.6cv25r3l.sbs" possible high risk indicator source, https://hybrid-analysis.com/sample/22530e989e1d0e1121edd79cb620951b0a78dc0a4a1fb7ae07719ebb2f2414b0, Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), "Crowdsourced YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst Ruleset:  YARA ruleset cannot be loaded. Crowdsourced Sigma Rules CRITICAL 0 HIGH 2 MEDIUM 1 LOW 0 Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodo, CSSR: Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community, CSSR: Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), CS IDS rules: Matches rule ET MALWARE Tinba Checkin 2 | Matches rule ET MALWARE [PTsecurity] Tinba Checkin 4, CS IDS rules: Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP traceroute, CS IDS rules: Matches rule (eth) truncated ethernet header Matches rule PROTOCOL-ICMP PING Matches rule PROTOCOL-ICMP Echo Reply, MALWARE BANKER EVADER, CSR YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst, wauchos.txt, wiki25.txt, zloader.txt, vipersoftx.txt, tufik.txt, tordwm.txt, virut.txt, tinynuke.txt, sphinx.txt, vidro.txt, sunburst.txt, tempedreve.txt, sisron.txt, rovnix.txt, shiotob.txt, simda.txt, shifu.txt, qakbot.txt, sharkbot.txt, https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search, https://www.anyxxxtube.net/search-porn/tsara-brashears/, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center, https://www.milehighmedia.com/legal/2257 exploit_source [Metro T-Mobile attacker. Brazzers | T], https://www.sweetheartvideo.com/tsara-brashears/ [Botnet tracking campaign, referrer], https://www.sweetheartvideo.com/tsara-brashears [Network ID], https://www.sweetheartvideo.com [Pattern match, Brashears], m1.sweetheartvideo.com [mailer!], mba3.sweetheartvideo.com [Server], https://www.hybrid-analysis.com/sample/a478360da159c358a804f1340f142fa2a0d689e02d743b71509e5e3921877a3e [Research Tool], Other, browser.events.data.msn.com [sandbox and archive browser events]
subdomains count
4

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 3 years ago · Last seen 1 month ago
Appeared in 7 threat reports