DomainHighVerifiedSignal 64/100
nixarr.com
Location
FranceFirst Seen
Mar 6, 2025
Last Seen
Jun 3, 2026
Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
64%
Signal Score
64 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
5 reports64% confidence
5
Source reports
64%
Confidence score
Category tags
.ai.milaaaaabn timestampabuseabuse contactacademic institutionsacceptaccept encodingaccess attaccess controlaccess windowsaccount compromiseaccount discoveryaccount hijackingaccount profilingaccount securityaccount takeoveraclsactiveactive relatedactive scanactive scanningad fraudad tevdagadd indicatoradded activeaddressaddress asaddress googleaddress rangeadm devadmin cityadmin countryadvanced searchadvertising network abuseaerospace & defenseafraidafricaafrica flagage86400 setagentagent teslaai_drivenaidsaka xloaderakamaialbertaalertsalex karpalexaalexa topalienvault_ransomwareall filehashall ipv4all octoseekallocated paallocation typealternate dataam sizeamazonamericaamerica asnamerica flaganalysis dateanalysis ob0001analysis tipanalyzeanalyze apianalyze createdanalyzer threatand repairand trojan dropperanomalous_deletefileanonsanonsecbotnetansianti-analysisanti-debugginganti-forensicsanti-sandboxanti-vmanti_vmantivirus evasionantivmanyxxxapacheapanasapex domainapi abuseapi keyapnicappdataappleapple devices targetingapple iocapple publicappleidapplication developmentapplying aiaptarc filearialarmadilloartifacts vas1680 cellcomascii textascioashburnasiaasnoneasnone relatedassaulter jeffrey reimerassigned piassociated urlsatt long linesattackattack surfaceattempted harmauroraaustraliaauthentication bypassauthentication flawautorunav detectionav detectionsavast avgavg clamavaws dnsazerbaijan asnb documentb scriptb stylesheetbackbackdoorbad gatewaybad reputationbad trafficbank securitybanking trojanbanksbayonetbayrobbe misleadingbear sharebearshar databehavior tofseebelgiumbelgium belgiumbelizeberbewbinary filebing adsbiosblind eagleblog metablog vonblpdqebobsoftbobsoft malwarebobsoft minibodisbodybody doctypebody h1body htmlbody lengthbokeh onlycanonboobs130432 nobootbotnetbotnet activitybrazil as28604brazil as396982breachbrian sabeybrute forcebuildidbulk exportbundled filesbusiness smallbytesc2c2 antianalysisca issuersca validcabinet archivecachecache controlcache statuscamerascamscanadacanada unknowncandace owenscanvascapacapecapturecatalog treecategories datecertificate manipulationchange themechaoscharacter assassinationcharlie kirkchartercheckincheckschi2childchinachina unknownchristoper p ahmannchristopher ahmannchristopher p ahmannchristopher p. ahmannchromecidrcisco devicecisco umbrellacitycity cupertinocivilcivil servicescivil societyck idck idsck matrixck techniqueck techniquesclassclickclick-based attackclient authclockclosecloud computingcloud infrastructurecloud migrationcloud securitycloud servicescloud storagecnamecnccnc activitycni safeco 80211co phancodecode executioncode injectioncode overlapcode_overlapcom laudecommandcommand & controlcommand and controlcommand decodecommand executioncommand linecommand_and_controlcommand_executioncommon namecommunication protocolcommunication technologiescommunity managementcompany limitedcompromised hostcompromised websitecompromised websitescompromises devicecomspecconfigconnectcontactcontacted domainscontacted hostscontacted ipcontent lengthcontent scrapingcontent sharingcontent typecontrol attcontrol ta0011cookiecopy md5copy sha1copy sha256copyingcorecorporate lawcorporationcouncilcountrycountry codecountry uscover-upcowboycp noicrazy frostcreation datecredential accesscredential harvestingcredential leakcredential stuffingcredential theftcredential_compromisecrimecrlf linecryingcrypcryptcryptocurrencycryptocurrency threatscryptographycryptojackingcsc corporatecti98current dnscus oletcvecyber crimecyber hackcyber threatscyberstalking techniquescycbotczech republicdarkdark cometdark web hostingdark web monitoringdarkcometdarkgatedarknetdarkwatchmandatadata accessdata breachdata breach indicatorsdata copyingdata destructiondata encryptiondata exfiltrationdata exfiltration indicatorsdata leakagedata misusedata obfuscationdata recoverydata registrydata store exposuredata theftdata transferdata udata uploaddata_exfiltrationdataedge clouddb d2dclocaldcom exploitationddosddos attacksde d3deaddead connectdead hostdefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydeletedelete cdelete deletedelphidelphi malwaredemodemo exploredenial of servicedenmark asndennis schrderdennis schroderdenverdenver coloradodeploys fakedescription webdetail domaindetection listdevelopment attdevelopment methodologiesdevice driverdevice hijackingdevice managementdevice reconfigurationdevopsdga domainsdiablodiablo attacksdieseldigicert incdigicert tlsdigitaldigital certificatedigital mediadigital platformsdigital signaturedigital_forensicsdirectory permidirtydiscovered ipdisk wipingdisplaynamedistributed attacksdiv divdiv iddiv tddnsdns attackdnssecdockdock zonedoctorsdocument filedoddod networkdoesdomainabusedomainpath namedomainrobotdomainsdomains showdomains topdonedot tagsdots largerdownload submitdoxingdraiedrivedrive by downloaddrive contentdrive drivedrop ordropperdt_vmp_32duration cuckoodworddynadotdynadot incdynadot llcdynamicdynamic dnsdynamic function loadingdynamic loaderdynamic_contentdynamicloaderdyndns domaindzane-signature securitye1203 windowseagle eyedeb e1ebayebeeeecdsaedgeeducationeducational resourceseducational serviceseducational technologyee emeee fceeeeeeeee eeeeeeeeeeeeeeeeefee eeefeeeheeeeid104eid2eid3ela ferelastic blogelectronic health recordselementelexelf executableelf infoelf64elon muskemailemailsemotetemotet malware campaignemotet malware infectionencryptencrypt cnr12encrypted connectionsencryptionencrypts filesencrypts userend gameendgameendpoint malware infectionenergyenergy distributionenglishenglish usenomenoughenter scenter soudcetdienter sourceenterprise networkingenterprise securityentertainment technologyentity dnicentity ipripeentriesentries httpentrustepuberrorespaolet infoet smtpet trojanetag wetl trojaneu cyber policieseuropeeurope/asiaeva lisaeva reimerevasionevasion attevasion b0003event rocketevil corpexcludeexclude dataexclude suggesexe sizeexe uploadexe32exec amd64execuexecutable fileexecution attexfiltrationexpirationexpiration dateexpiration httpexploitexploitationexploitation activityextensionsstrexternal systemexternal-resourcesextortionextrextr dataextr includeextr pleaseextraextra dataextractextract dataextraction dataextradextreextre dataextri dataextri includeextri pleasef0 fff3 e1fabricating andfailedfailurefaithfallfalsefalse imprisonmentfalse informationfastfe fffederation flagfeedfemme fatalesff bbff d5filefilesfiles domainfiles ipfiles loadingfiles locationfiles matchingfiles notfiles relatedfiles showfilescanfinal urlfinancefinancial crimefinancial exploitationfinancial institutionfinancial motivationfinancial servicesfindfind sfind suggestedfind suxesteufingerprintingfinlandfirst addressfirst seenflagflag unitedfocus regionfolderfontfont formatfooterfor privacyforcudformform grabbingformatformbook cncformbook stealerfoundfound afound networkfound sigmafound titlefoundryframe b830frame srcfrancefree reportfrost securityfsocietyfueryfull namefull reportfull reportsfunctionfuryfwlinkfxeeyfyfdzgamesessionidgandigandi sasgat objectgather victimgaz1gbrflaggdatageckogeneral fullgeneratorgenericgeneric flagsgeneric httpgermanygermany as8560germany asnget httpget httpsget naghostgithubgithub httpsglasswormglobalglobalcgmtngold wgoodreadsgooglegoogle drivegoogle gmailgoogle llcgoogle safegoogle taggovernment contractorsgovernment contractsgovernment corruptiongovernment technologygovernment.grande arialgraphgraph summarygravityratgreat britaingrumguardhackerhackershackinghall renderhandleharrodshashhashesheadhead titleheader http2header intelheadershealth care and social assistancehealth information technologyhealthcare information systemshealthgrades_profile_removedhelixhello2malwarehelloworldhelp vhelvetica neuehelvetica segoehidden fileshide sampleshighhigh defensehigher educationhires hit menhistorical dnshistorical sslhitman serviceshitmenho chihoney nethoney pothoney trapshosannahospital managementhosthostilehostinghostname addhostname enumerationhostshour agohow searchhrefhstrhtmlhtml contenthtml documenthtml infohtml publichtml smugglinghtml_smugglinghttp attackhttp headerhttp hosthttp outboundhttp requesthttp requestshttp responsehttp scannerhttpshttps domainhttps linkhudson rockhwp supporthybridhybrid-analysishyundaiicmp trafficico rtgroupiconicons libraryidentity & access exploitationidentity theftids detectionids detectionsiepgqietfdtd htmliframeiframe functioniframesillegalimageimages signimpactimpact ta0034impact ta0040imphash pehashinboundincludeinclude reviewincluded iocsincognito modeindia unknownindicaindicalok noindicatorindicators hindicators showindonesiainfiltrationinfinite loopinfluence campaigninfoinfo compilerinfo fileinfo idsinfo malcoreinfo modifyinformation gatheringinformation stealerinformation technologyinformation_gatheringinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinjectioninjection activityinjection write processinjects adsinput threatinput validation bypassinsertinstallinstall systeminstallers wellintelintel macintellectual propertyintellectual property lawintelligence agency surveillanceintelligence gatheringintelligence xintelxinternet ltdinternet of thingsinto searchintptrinvalid urliociocsiosiot botnetiot securityiot/ics attackipadipasns ipiphoneiptvipurl artifactipv4ipv4 addipv6ireland flagireland unknownis__elfispisrael israelissuedissuer thawteissuer wr3it infrastructurejabber zeusjanskyjapanjapan unknownjavascript injectionjeffjeffrey reimerjob done infectedjoe tidyjsl objectjsonjudik augk octk-12 educationkey algorithmkey identifierkey infokey usagekeyloggerkeys deletedkeys setkhtmlkiller geckolangeslaptoplateral movementlaunchlaw enforcement surveillancelaw firmslaw practicelawyerslazaruslazarus grouplearnlearn moreleavelegal consultinglegal entitieslegal mischieflegal obstructionlegal researchlegal serviceslegal system abuselegal technologylemon ducklessless relatedless seeless whoislevellevel analysislevel domainlg2enliarlifelikely gandcrablimitedlinklink initiallink librarylinks apexlinuxlinux x8664loaderidloadingloadslocallockbitlog idloginlogonlogon autostlooklookuplow risklowfiltd dbaltda melxc6nfm. brian sabeymacmachine labelmadagascarmailmail spammermainmalcoremalicious activitymalicious advertisingmalicious avgmalicious domainmalicious downloadmalicious file downloadmalicious linkmalicious linksmalicious mediamalicious powershell activitymalicious reconfigurationmalicious sitemalicious softwaremalicious urlsmalvertisingmalwaremalware activity detectedmalware campaignmalware campaign analysismalware detectionmalware distributionmalware hostingmalware indicatorsmalware sample analysismalware signingmalware sitemalwarexgen attmanagermanually addmanymarkmonitormarkusmarshfield sslmatch infomatch mediummatch pebmd5mediamedia & entertainmentmedia centermedia distributionmedia gmbhmedia typemedical servicesmediummedium attemptsmedium installsmelbourne itmemory injectionmemory patternmemoryfile scanmessagemetameta namemeta tagsmetadata analysismetromexicomicrosoft technologiesmilesitmilitary operationsmillionmimicmineminh cityminimal headersminymiraimirai botnetmisamitremitre attmobilemobile carriersmobile devicemobile networksmobile securitymobile threatmodelmodifies existing filesmodifies itselfmodify registrymodrgmodule loadmodulesmonitored targetmonitoringmonitoring activitymonths agomore externalmost relevantmovedmoviemozartmozillams defenderms visualms windowsms wordmsdefender febmsdefender novmsdosmsf stylemsiemsilmullvad browsermulti-cloud managementmultimedia productionmusicmyappmyriad setnamename datename domainname filename md5name servername serversname tacticsname valuenamecheap incnamed pipenanjingnation-state activitynational securityneshtanetaceanetherlandsnetworknetwork analysisnetwork communicationnetwork droppednetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork namenetwork probingnetwork reconnaissance attemptnetwork relatednetwork scanningnetwork trafficnetwork traffic analysisnetwork_activityneuenevernew londonnextnext associatednexus categorynhs trustsnid valuenidsnids unitednight gotnivdortnjratno analysisno datano entriesno expirationno matchingno such agencynonadsnone googlenone relatednorth americanortonnot foundnoticensisnsonso groupnumbero metadataobjectobserved dnsobserved getoceaniaocspoffice openogoogle trustoiloil & gasok acceptok serverollydbg ollydbgone reach aionlineonloadonlvonv incmdeopenopen portsopen redirectopen threatopenurl coperating systemoperating system securityopinionor filehashor iconor incompleteor requesturlorg appleorgabuseemailorgabusehandleorgabusereforgidos2 executableottowotx alienvaultotx logootx telemetryouno snioutbound trafficoveroverlayoverview dnsoverview whoispackages foundpackerpacking f0001packing t1045palantir abusepalantir foundryparagonparispasivednspassive dnspasswordpassword-inputpatch managementpatchedpathpath maxpath traversalpatient carepatient_privacy_violationpatrickpattern matchpattern urlspay-per-click fraudpayloadpdf librarypdf tripwirepe anomalype filepe resourcepe sectionpe32 compilerpe32 executablepe32 installerpeb idrdatapegasuspegasus spywarepeoplepersonal datapersonal_information_leakpeter theilphishingphishing attackphishing emlphishing sitephone hackingphysical crimephysical harmpingpixelpleaseplease noteplease searchplease subpng imagepodcastpolicepolicy termspolitical targetingpolymorphic ransomwareportpostpost httpspostal codepotential-c2powder sdkpower generationpower systemspragmapraioprefetch8 ansipremiumpresentpresent aprpresent augpresent decpresent febpresent janpresent julpresent junpresent marpresent novpresent octpresent sepprimary requestprimary rootprinkprivacyprivacy adminprivacy techprivate investigatorsprlapro myriadprobe ms17010problemprocessprocess detailsprocess injectionprocess keyprocess32nextwprocess_injectionprocmem_yaraproduct blogproduct developmentproject cicadaprotectprotocol t1071province hcmproxprscpsai compseudopsyopspublicpublic administrationpublic corruptionpublic infrastructurepublic keypublic policypulsepulse otxpulse pulsespulse submitpulsespulses hostnamepulses nonepulses otxpulses urlpushpythonpython wheelqnapcryptquality assurancequasiquasi governmentqueryradarramnitransomransomwareratrate limitsreadread creadsreads_selfrealteck audioreconnaissancerecord typerecord valueredacted forredlineref breferrefreshregexpregional securityregistrant faxregistrant nameregistry changesregistry domainregistry keysregistry run keysregistry valueregistry_modificationregulatory agenciesregulatory compliancereimerreimer dptrelatedrelated nidsrelated pulsesrelated tagsremoteremote accessremote access trojanremote processremote servicesremote. attacksremote_accessremoval modernrenewable energyreply flagreportreport spamreportsreports upgradereports vreputation analysisreputation damagerequestrequest blockedrequests domainresearch beaconresearchedresolved ipsresolverrorresource downloadresource hijackingresource pathresources whoisresponse areresponse iprestartresultsresults augresults febreverse dnsreviewreview datareview excludergbarich textriperipe databaseripe nccripe networkriseprorndcharrndhexrobotorockrolerole titlerootjobrootkitrsa sha256rsdsq jfurticon englishrubin pusharules notrun keysrussiarussian malwaresabeysabey typesafe browsingsafe sitesample analysissample appearssamplessamsungsan josesandboxsarah rainsfordsaudi arabiasc datasc typescams & fraudscanscan endpointsscanning activityscans showscreen lockscriptscript domainsscript scriptscript urlsscripting attacksscripting intescrollse extrse extractionse httpssearchsearch advancedsearch helpsearch otxsearch searchseard dataseasonsecure serversecurity operationssecurity policysegoe uiseiko epsonselect contactself deletingself-signedsends trafficservaas kluteserverserver headerserver nginxserver responseserver rsaserversserviceservice nameservice scanserving ipset lucidasettings searchsf hellosf monosharedshared modulessharkshell commandsshellexecuteexwsheriffshowshow processshow techniqueshowingsigning defensesimplesimple filesitesite ca0x1ex17rsite topsizeskynetslcc2sleep sandboxslowslowssmart assemblysmbds ipcsmearsmear campaignsmoke loadersneaky serversnisniffsso funnysocial analyticssocial engineeringsocial mediasocial media abusesocial media marketingsocial media securitysocial media threatsocial networkingsoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware integritysoftware testingsoftware vulnerabilitiessoftware/ hardwaresokolove lawsolidsonysouth africasouth koreasp6 buildspainspamspam malware campaignspanspan pspan spanspawnsspyspycamsqlitessl certificatestackstar ratingstarfieldstartupstartup folderstate of coloradostatesunitedstaticstatic_pe_anomalystatusstatus codestatus okstealerstealsstealth windowstopstop xstorage companystore gmailstore homestrategystreamstreaming servicesstreetstringsstrongstudystuffstun bindingsub domainsubdomain enumerationsubject keysubject publicsubmitsuggessugges datasummarysumosupply chain attacksupply chain compromisesupportesuricata ipv4swedensweflagsymbolsystem disruptionsystem impactsystem slowdownsystembc_linux_variantsystems foundsysvt mobilet regdwordt1001t1003t1003.001t1003.005t1003.008t1005t1011t1012t1014t1016t1018t1019t1021t1021.001t1021.006t1023t1027t1030t1031t1036t1036.004t1036.005t1037.003t1039t1040t1041t1043t1044t1045t1046t1047t1049t1051t1053t1053.005t1054t1055t1055.001t1056t1057t1059t1059 sharedt1059.001t1059.003t1059.004t1059.005t1059.007t1060t1063t1064t1068t1069t1069.001t1070t1070.001t1070.004t1071t1071.001t1071.004t1078t1078.004t1080t1082t1083t1085t1086t1088t1089t1094t1096t1105t1106t1110t1112t1113t1114t1114.002t1116t1119t1122t1123t1125t1129t1129 systemt1132t1133t1134t1140t1143t1147t1155t1156t1158t1179t1179 boott1179 hookingt1189t1190t1192t1194t1199t1202t1203t1204t1204.001t1204.002t1210t1218.001t1222t1222.001t1480t1480 executiont1485t1486t1490t1496t1497t1499.001t1499.002t1499.003t1506t1518t1518.001t1528t1534t1539t1547t1547.001t1548t1550t1553t1553.002t1553.004t1554.001t1554.003t1555t1561t1562t1562.001t1562.003t1563t1563.002t1564t1565t1566t1566 phishingt1566.001t1566.002t1566.003t1566.004t1567t1567.002t1568t1568.002t1569t1572t1573t1573 severityt1574t1583t1583.001t1583.005t1584t1584.004t1584.005t1585.001t1586t1587.001t1588t1588.002t1588.006t1589t1589.001t1590t1590 gathert1590.001t1591t1591.002t1592t1593t1595t1595.001t1595.002t1595.003t1596.001t1596.004t1598t1598.003t1608t1608.001t1609ta markmonitorta0007 commandtablettag counttagstags natags nonetaiwan as3462tam legaltargettargeted attacktargeted surveillance campaigntargeted_attacktargeting apple productstargeting databasetargeting dropboxtargeting majortargeting tsara brashearstaskjobtbmvidteamtechtechniques nonetelecom servicestelecommunicationstelustempten processtermtestpagingtewdida datatexttext dragtext/htmlthemidathirdthird party infectionthird-party application malwarethird-party-cookiesthisthreat actorthreat huntingthreat intelthreat intelligencethreat preventionthreatintelligencethreats apithreats exploretipstitletitle addedtitle errortitle headtitle tentlstls handshaketls snitls webtlsv1tofseetofsee botnettofsee hightokyotony spurlocktoolstop destinationtop sourcetor analysistor browsertor nodetotaltracetrackertraffic maskingtraffic udptrailertreetref neutraltriagetrlewtrojantrojan downloadertrojan malwaretrojan:win32/zombie.atrojandroppertrojanspytrump supportertruthtry drivetsaratsara brashearsttl valuetucows domainstulachtwittertyp datatyp indicaltypetype indicatortype mimetypetype nametype oltype sizetype typetype win32typeof etypeof ttypestypes ofu0012u0018u001awuac bypassubarubuntuui arialuk governmentukraineumbrella rankunauthorizedunauthorized configuration changesunfurl sitesunicodeunicode textuniqueunique tldunique tldsunitedunited kingdomunited statesunixunix timeunknown cnameunknown nsunknown siteunknown soaunruyunsafeuny inuuueupatreupdate requestupdaterupxur extractionurlhttpurlmailtourlsurls filesurls showurlvoidus registrantusa windowsuseruser agentuser engagementuser executionuser-agentusersuswvutc facebookutc gnr5gzhd545utc googleutc linkedinutc scorecardutc yahooutf8 unicodeuue filesuuupupuv2 documentv3 serialvalidvalid usagevaluevalue1verdictverifyverizonverizon domainversion filevictimsvictims websitevideovietnamvirlockvirtoolvirtual machinevirusvirustotal apivista eventvoidvulnerabilityvulnerability scanwaitwannacrywannacry attackwannacry dnsweallweb applicationweb application attackweb application exploitationweb attackweb crawlerweb crawlingweb exploitationweb openweb securityweb serverweb trafficweb-based attackwelcomewhoiswhois lookupwhois lookupswhois privacywhois registrarwhois serverwidthwin.packer.pkr_ce1awin16 newin32 dllwin32 dynamicwin32 exewin32 malwarewin32/searchsuitewin32berbew novwin32cuegoe aprwin32cve aprwin32cve yarawin32qqpass aprwin32qqpass sepwin32upatre novwindirwindows malwarewindows matchwindows ntwindows startupwindows wgetwine emulatorwiperwixwmiworkers compensationwormwp enginewritewrite cwsasendx msedgex00bx00x00x00x20trnfx509v3 subjectx93xebxcaonxml documentxml spreadsheetxml titlexordataxportxredxserverxxx adultyahooyandexyandex redirectionyara detectionyara detectionsyara ruleyoutubeyoutube redirectionzbotzegostzeiss jenazenedgezerossl ecczeuszombie
Activity Timeline
Jun 3Jun 3
Threat Activity Heatmap
· Peak: 2026-06-03LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated
The domain **nixarr.com** has been identified as a significant indicator of compromise (IOC) associated with multiple cyber threats originating from France. First observed on March
Threat ScoreMedium Risk
64
SIGNAL
Signal Score
64%
Confidence
5
Reports
First seenMar 6, 2025
Last seenJun 3, 2026
Verified IOC
VirusTotal
Not checked
WHOIS
- registrar
- TUCOWS DOMAINS, INC.
- description
- Embedded in communication between a healthcare system and a client. This is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.
- domain rank
- -1
- raw
- Creation Date: 2024-03-10T20:09:23 Creation Date: 2024-03-10T20:09:23Z DNSSEC: unsigned Domain Name: NIXARR.COM Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: 1-YOU.NJALLA.NO Name Server: 1-you.njalla.no Name Server: 2-CAN.NJALLA.IN Name Server: 2-can.njalla.in Name Server: 3-GET.NJALLA.FO Name Server: 3-get.njalla.fo Registrant City: 1f8f4166599d23ee Registrant Country: KN Registrant Email: cf1c34f3e2f73fb3s@ Registrant Fax Ext: 3432650ec337c945 Registrant Fax: 1f8f4166599d23ee Registrant Name: 1f8f4166599d23ee Registrant Organization: 1f8f4166599d23ee Registrant Phone Ext: 3432650ec337c945 Registrant Phone: 1f8f4166599d23ee Registrant Postal Code: 1f8f4166599d23ee Registrant State/Province: 5c1896d54f3bb30d Registrant Street: 1f8f4166599d23ee Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.4165350123 Registrar IANA ID: 69 Registrar Registration Expiration Date: 2026-03-10T20:09:23 Registrar URL: http://tucowsdomains.com Registrar URL: http://www.tucows.com Registrar WHOIS Server: whois.tucows.com Registrar: TUCOWS DOMAINS, INC. Registrar: Tucows Domains Inc. Registry Domain ID: 2862587611_DOMAIN_COM-VRSN Registry Expiry Date: 2026-03-10T20:09:23Z Updated Date: 2025-07-04T14:27:32 Updated Date: 2025-07-04T14:27:32Z
- references
- https://hybrid-analysis.com/sample/b0221df98cf7c8cbb752166c2942167038905c6ce60cd4289bee7d6c9d9c9981/67e70010db76da6d2704fa75, https://tria.ge/250328-yq3hrsz1c1/behavioral1, https://www.virustotal.com/gui/domain/alberta.ca, https://pulsedive.com/indicator/?iid=9866511, https://www.filescan.io/uploads/67e70367631830704a8a8a0c/reports/0cb06032-68da-40e4-8f2a-f2ef06384df8/ioc, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce = Domain Analysis (refer to databreaches), https://intelx.io/?s=alberta.ca, https://www.hudsonrock.com/search?domain=alberta.ca, https://polyswarm.network/scan/results/url/8f3e04dffd9a4447667ca0135138ca8da321c66c9dbd6be815c17e2aa6e6f292, https://www.urlvoid.com/whois-lookup/, https://app.pentester.com/scans/U2NhblR5cGU6NjM1NDk1OA==, https://cwe.mitre.org/data/definitions/79.html, https://www.virustotal.com/gui/domain/alberta.ca/relations, http://ci-www.threatcrowd.org/domain.php?domain=alberta.ca, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce, https://www.hybrid-analysis.com/sample/9b22c3771c435ce35bd0d8c766594a7e01156167829b60155e028d8852c69ba2/681974f451849933040662f6, https://www.filescan.io/uploads/68197523c7418694c8a5dcd3/reports/ae06283d-f5d8-426d-a32c-1a04566e7635/ioc, https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary, https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs, https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark, https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark, https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark, https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark, https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark, https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph, https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details, https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network, http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61, https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png, https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process, ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339, ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b, ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690, ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc, Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc, Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77, Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320, Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect, Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile, IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden, Alerts: cape_detected_threat cape_extracted_content, TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69, TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07, TrojanSpy:Win32/Nivdort.CW: FileHash-MD5 9d6de961a498f831acb63c95e7b2ff0c, Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69, Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07, Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120, Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net, Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net, https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc, trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758, Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde), Malware Behavior Catalog: Defense Evasion OB0006 • Delayed Execution B0003.003 • Move File C0063 • Process Environment Block B0001.019, Malware Behavior Catalog: Dynamic Analysis Evasion B0003 • Create File C0016 • Create Process C0017 • Create Thread C0038, Malware Behavior Catalog: Operating System OC0008 • Environment Variable C0034 • Self Deletion F0007 • : Tree Anti-Behavioral Analysis, Malware Behavior Catalog: System Information Discovery E1082 • File and Directory Discovery E1083 • Execution OB0009 • File System OC0001, Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 • Install Additional Program B0023 • Delete File C0047 •, Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread • C0038 Operating System • Debugger Detection B0001, Malware Behavior Catalog: Get File Attributes C0049 • Set File Attributes C0050 • Read File C0051 • Writes File C0052, Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 • Anti-Behavioral Analysis OB0001 • Process OC0003, Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus, Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz, Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses, Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst, Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP, http://Object.prototype.hasOwnProperty.call, Tulach! It's been a minute - 114.114.114.114, What's going on here judiciary? Karen - cisa.gov? e.final, f.search schema.org t.final, ACTIVE Emails: [email protected] • CISA.GOV Status • schoolsafety.gov • power2prevent.gov • [email protected], [https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 • https://otx.alienvault.com/indicator/hostname/hq.dhs.gov, [cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov • [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov, [dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov • https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml, Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window, https://otx.alienvault.com/indicator/domain/asp.net • https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net, Security Contact Email: [email protected] •ACTIVE Domain Name: DHS.GOV
- subdomains count
- 0
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 1 year ago · Last seen 22 days ago
Appeared in 5 threat reports