IOC Radar
DomainMediumSignal 11/100

investre.ru

Location
NetherlandsNetherlands
First Seen
Jul 5, 2025
Last Seen
Apr 25, 2026
Jul 5
First Seen
350d ago
Apr 25
Last Seen
56d ago
4
Reports
source reports
11%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
11%
Signal Score
11 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

43 techniques

Feed Intelligence Summary

4 reports11% confidence
4
Source reports
11%
Confidence score
Category tags
abuseacceptaccess controlaccount securityacintactive scanaddressadmin countryadult contentadwareagentaigalexaalexa topalienvault_ransomwarealiveall octoseekall scoreblueanchor hrefsanomalous_deletefileantivirus evasionanyone elseappleapple iosarizonaartemisascii textasiaasnone unitedassaultatkafij0 httpsattackauthorityawfulaxeloazorultb.scopebackbackdoorbad reputationbambank securitybankerbankerxbazarbehavbenjamin cbitcoinblacklist httpblacklist httpsblacknet ratblockchainbodybody lengthbot netsbotnetbotnet activitybrian sabeybrowse scanbrute forcebuilderbundledc2c2 extractionc2 injectionca issuerscallback phishingcatherine daisy colemanchinachinesechromecisco umbrellacivil servicescivil societycleanercnamecobalt strikecode executioncode injectioncoinminercommand & controlcommand and controlcommand executioncommand_and_controlcommodity contracts intermediationcommunication protocolconduitconfedcontacted urlscontinent nacontrolcookiecopycorecount blacklistcountry uscreation datecredential harvestingcredential stuffingcrlf linecryptocrypto exchangecrypto miningcrypto walletcryptocurrencycryptocurrency threatscryptojackingcus oucus stnewcyber criminalcyber stalkingcyber threatdatadata accessdata copyingdata encryptiondata exfiltrationdata store exposuredata theftdata transferddosddos attacksdeaddecentralized financedelete cdetection listdetections typedigital currencydistributed attacksdnsdns attackdnssecdockdomaindownldrdowntown denverdropperdsp1ducktaildynamicloaderec oidelectronic health recordsemailsemotetencryptencryptionendpoints allengineeringenterprise securityentriesentrusterroret exploitet policyeuropeevasionexploitexploit-sourceexploitation activityextortionfalsefilesfiles ipfiles locationfinal urlfinancefinancial institutionfinancial servicesfireholformgeneral fullgenericgeneric flagsgheggmtngo daddygoldmaxgooglegoogle taggovernment technologygroupgrumhackingheaders dateheaders nelheaders xcachehealth care and social assistancehealth information technologyhealthcare information systemshighhistoricalhistorical sslhistoricalandnewhospital managementhostnamehostname enumerationhr rtdhtml documenthtml infohtml internethttphttp attackhttp responsehttp scanneriana idicann whoisidentity & access exploitationieedge chrome1iframeindicatorinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingestion timeingress tool transferinjection activityinsurance companyintelinternet of thingsiocsiosiot botnetiot securityiot/ics attackipv4irelandireland netskyit infrastructurekeyloggerknown torkradnie kryptol1k validitylabel netaiglaw enforcement awarelegal entitieslibellinklinux mintlog idloginlooquerlow risklow securitymagecartmail spammermalicious activitymalicious downloadmalicious linksmalicious powershell activitymalicious sitemalicious softwaremalvertizingmalwaremalware distributionmalware foundmalware sitemark brian sabeymatrixmedical servicesmeta tagsmetadata analysismetrometro tmobilemirai botnetmisc activitymisc attackmobilemobile securitymobile threatmovedmsf stylenamename serversnetherlandsnetworknetwork scanningnew yorknextnginxnircmdnjratno datano matchnode trafficnoname057norad trackernorth americansonumbernymaimoperating systemoperating system securityotx telemetryparking crewpassive dnspastepatch managementpatient carepe anomalype resourcepe32 executablepegasusphishingphishing attackphishing sitepine streetplaygameponypornhubportpostal codeprimary requestprivate investigatorprivilege httpsprobeprobe ms17010process injectionprocmem_yaraprotectproxypublic administrationpublic infrastructurepublic policypulse pulsespushquasarqueryrank positionransomransomwarereconnaissancerecord typerecord valueregistry arinregulatory agenciesrelated nidsremote accessremote access trojanremote address: 8.8.8.8:53remote attackremote servicesresearchedresource hijackingresource pathrevengereverse dnsriskrounduprussia unknowns1des1ussa victimsafe sitesafebaesaint louissample summarysamplesscams & fraudscan endpointsscript tagsscripting attackssearchsecurity nosecurity policyserversserviceseveresibotsidesign upsitesizeskynetslider pluginsmbds ipcsmtp servicesocial engineeringsocial media securitysoftware developmentsoftware exploitationsoftware vulnerabilitiesspamspammerssl certificatessl wstagingstatic_pe_anomalystatusstatus codestreamstudiostudiosstudios metastudios ogsucuri firewallsuricata alertsweetheart videosswrortsystem disruptiont servicest1005t1021t1021.001t1027t1029t1030t1045t1055t1057t1059t1059.001t1059.007t1060t1064t1069.001t1071t1071.001t1071.004t1078t1086t1105t1133t1140t1190t1203t1204.001t1204.002t1486t1490t1496t1499.001t1499.002t1499.003t1565t1566t1566.001t1566.002t1566.003t1566.004t1569.002t1587.001t1589.001t1590.001tag counttags ogtargets satechtech emailthreatthreat actorthreat preventionthreatstiggretitle denvertitle safebaetls webtofseetor nodetor ssltrojan malwaretrojan:win32/zombie.atrojanspytrojanxtsara brashearsttl valuetype mimetypetype nameunicode textunitedunited statesurlsurls httpsursnifusersusers voiceutc redirectionutf8 textvictimvirgin islandsvirtoolvulnerability scanwacatacweb securityweb trafficwebsite malwarewhois databasewhois lookupwhois lookupswhois recordwhois sslwin32 exewin32 malwarewin32mydoom febwin32mydoom janwindows malwareworkers compensationwormwp enginewpbakery pagewriteyahoo titleyara ruleyixun tool

Activity Timeline

1 total obs
Apr 25Apr 25

Threat Activity Heatmap

· Peak: 2026-04-25
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreLow Risk
11
SIGNAL
Signal Score
11%
Confidence
4
Reports
First seenJul 5, 2025
Last seenApr 25, 2026

VirusTotal

Not checked

WHOIS

registrar
REGTIME-RU
domain rank
-1
raw
Last updated on 2025-07-06T11:53:01Z created: 2014-11-13T15:21:13Z domain: INVESTRE.RU nserver: ns1.mchost.ru. nserver: ns2.mchost.ru. nserver: ns3.mchost.ru. nserver: ns4.mchost.ru. paid-till: 2025-11-13T15:21:13Z registrar: REGTIME-RU source: TCI state: REGISTERED, DELEGATED, UNVERIFIED
references
enterprise.cellebrite.com [ digitalclues.com], http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS, https://tulach.cc/ [malware engineering | phishing], deviceinbox.com [malware hosting], http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu, https://timersys.com/ [ phishing | deb opera.com], https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader], message.htm.com [ message stealer], https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT], https://www.nsogroup.com, https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI], https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ], https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics], Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on., https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection], https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf, https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey • HallRender.com & others], training001.blackbagtech.com [opportunity?], https://otx.alienvault.com/indicator/hostname/apptree.comcast.net, nr-data.net [Apple Private Data Collection] data.net points to aps.net, Tracking: 8.8.4.4 [ NOT a false.positive], https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b, Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net, adsl-074-168-130-217.sip.pns.bellsouth.net, https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm, http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn • Xcitium: Verdict Cloud illegal software • Forcepoint: ThreatSeeker adult content], Found in: https://side3.com/ • https://side3.com/wp-json/ • https://side3.com/wp-json/wp/v2/pages/9 • https://side3.com/xmlrpc.php • side3.com • https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif • https://www.facebook.com/side3studios, CnC IP's: 20.103.85.33 • 213.91.128.13 • 74.6.143.25 • 74.6.143.26 • 74.6.231.20 • 74.6.231.21, https://otx.alienvault.com/indicator/ip/74.6.231.21, nr-data.net [Apple Private Data Collection], https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement], mail.secure2.store.apple.com [vprsecure.com • Worm:Win32/Mydoom], https://safebae.org/, www.hallrender.com, https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png, http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf, https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection, https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance], 'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker], s3.amazonaws.com [ metro T-Mobile spyware porn], 9.6.zip - SQLi, dns.trackgroup.net, scripting-sandbox-dns.bunny.net, http://www.01tracks.com/happy-customers, https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents, http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug, remote.utorrent.com | pornhub.dev | lp.rallypoint.com, https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno], https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[, https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&, https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month], deadlyexploits.com | deadlysymbol.com |, amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com, -Hostname: RecoveryStore-3.7.5.1.4.6.2.0-D917-11E7-B67B-080027A49DD/, https://www.hybrid-analysis.com/sample/fa1f15bd4c0cd287fe04f324d3363a8b5a295b57cb22d9ea0f3d6973eb442d17/651c94c00b17fb9324040f7c, https://threatfox.abuse.ch/browse/tag/tofsee/, https://www.virustotal.com/gui/domain/lazystax.ru/details, https://www.virustotal.com/gui/domain/lazystax.ru/community, Sophos: Command and Control Webroot: Bot Nets, Xcitium Verdict Cloud: Media Sharing, Forcepoint ThreatSeeker: Government, alphaMountain.ai: Malicious (alphaMountain.ai), Online Research, Research analysis, Linked to my domains, urls, websites, other media. At some point this link could be found in many legal state, federal, domains, website as well as extremely, overtly malicious websites, domains, urls....., https://tria.ge/210906-p1v21abbc5/behavioral2 Source, https://otx.alienvault.com/indicator/domain/Lazystax.ru, https://otx.alienvault.com/indicator/file/ef181d8efbb126e26fdd753e3287858063ea1cbc2baceb855949c25cfc3c4f40, https://otx.alienvault.com/indicator/file/0f51b0620dbbd782c786613f396b5341a8341a4131b3c9bef47f96bd446a07a7, https://otx.alienvault.com/indicator/file/1ee0ff6d3d73df2052c8b426051d3e69da65e7f27d856de81c72c850127dced2, https://any.run/report/c0e63d3688879e4c415fe9c99649dd6c0cfed77424c979dd65d597a6f524cb03/ceac4db6-f8b0-4379-aa55-b4dd71ef85c3, https://otx.alienvault.com/indicator/file/aca0a107d9f67951a37f3c9e5330c625a48e2fc72b636548c94e66573c509d37, https://twitter.com/RexorVc0/status/1555074253795606529, https://www.malwareurl.com/ns_listing.php?ip=195.123.1.2, https://www.vmray.com/analyses/de4dcdc5a37d/report/report.pdf Source, mail.ru:%22,.pdf
subdomains count
3

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 11 months ago · Last seen 1 month ago
Appeared in 4 threat reports