IOC Radar
DomainHighVerifiedSignal 64/100

ssv4.net

Location
MontserratMontserrat
First Seen
Dec 3, 2021
Last Seen
Mar 20, 2026
Dec 3
First Seen
1662d ago
Mar 20
Last Seen
94d ago
5
Reports
source reports
64%
Confidence
high
Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
64%
Signal Score
64 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

95 techniques

Feed Intelligence Summary

5 reports64% confidence
5
Source reports
64%
Confidence score
Category tags
.cc domainaaaaacademic institutionsacceptaccess attaccount compromiseaccount discoveryaccount manipulationaccount profilingaccount securityaccount takeoveractive relatedactive scanningadded activeaddressaddress rangeadsenseadsense naagricultural supply chainagricultural technologyagriculture, forestry, fishing and huntingahsakamaiakamai rankalertsall scoreblueallocation typealone emailamadeyamazonamerica asnamerica flagamerica unitedanaloganalysis ob0001analysis ob0002analytics naanalyzer pasteappleapple centerapple dnsapple serverascii textasiaasnoneatomautoitav detectionsave_mariaazure rsab3viles0 febbackdoorbad trafficbankingbelizeberbewbgpbgp ipblack bastablack-bastabodybody doctypebody headbody lengthbootingbotnetbotnet activitybrazil as16625brute forcebugzillabus supportbut notc&cc0002 wininetc2c2 channelca cgbca issuersca limitedca odigicertcanadacanada unknowncapturecatalog treeceidgcertificate authoritychina domainchina flagchina unknownchromecidrcitycity menlocity redmondcivilcivil servicescivil societycjutxgck idck idsck matrixck techniquesclassclick-based attackclockcnamecncomodo rsacndigicert sha2cnmicrosoft ecccnr12 cuscnwe1 ogoogleco sheriffcobalt strikecode executioncode injectioncodeccom laudecommandcommand and controlcommand executioncommunication protocolcommunication technologiescomodo valkyriecompanyname gmcompute modulecomspecconnectcontent typecontrol ta0011copy md5copy sha1copy sha256core supportcorporation cuscountry namecountry typecountry uscovacova cryptbotcreation datecredential accesscredential harvestingcredit card servicescredits textcrimecrlf linecrop productioncryptbotcus subjectcustom audiencecvecve typecycbotdamagedangerous tooldatadata accessdata collectiondata copyingdata deletiondata exfiltrationdata miningdata oc0004data transferdata uploadddos attacksdefense evasiondeletedelete cdelphidenial of servicedevelopment attdevice driversdialerdigidigitaldigital volumediscovery attdistributed attacksdll readdnsdnssecdockdocument moveddouglas countydriversdrwebdviddynamic function loadingdynamic loadingdynamic_function_loadingdynamicloadereanioaeedgeeducational resourceseducational serviceseducational technologyelectronic health recordsemailsenable drmencryptendgameenomenter scenterprise securityentityentity lpl141entriesentries servererrorerror httpset infoet trojanetpro tretpro trojanetpro trojan win32/tofsee.axeu cyber policieseuropeeurope/asiaevaderevasion ta0005exchange metaexcludeexclude suggesexeexe uploadexecutable uploadexfiltrationexpirationexpiration dateextrextra datafailedfailurefakedout threatfalsefarmingfastlyfastly errorfilesfiles domainfiles hostnamefiles locationfiles relatedfinancefinancial servicesfinancial technologyfirstflagflashfleet managementfolderfollow bot activityfood productionformatpng febfoundfoundryfree softwarefreight servicesfrontgeckogeneral publicgeneric httpget httpget httpsglobal propertyglobalcgmtngnu generalgoagooglegoogle safegoogle taggothamgovernment technologygpiogpio pingpiosgtmkvjvztk dlhackershandlehas descriptionhdmihdmi modehealth care and social assistancehealth information technologyhealthcare information systemshello sslheurhighhigher educationhistorical sslhistory firsthospital managementhosthostilehostinghostname addhostname enumerationhostname iphtml documenthtml filehtml internethtml_smugglinghttp attackhttp requesthttp responsehttp scannerhttpshybridicmpicmp trafficico rtgroupiconids detectionsiframe tagsimpact ta0040inboundinc cusincludeinclude reviewincludec reviewindicatorinformacji oinformation gatheringinformation technologyinformation theftinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection rwxinjection_rwxinput validation bypassintelinternet of thingsinvolved directinvolved dnsiocsiosiot botnetiot/ics attackipv4ipv4 addirsis providedisrael unknownissuerit infrastructureitemja3sjapan unknownjeffrey scottk-12 educationkalikernelkey algorithmkey identifierkey infokhtmlkoreankrunchymalpackerla postalcodelabellearnlegacylevel 3licenselightlimited tolinearlinuxlinuxgafgyt feblivestock managementloadlocallocuolog idlogin attacklogin0looklooplpl141ltd allltd dbalumenlumen adminlumen controllumen ipmaasmacmagic htmlmalicious linksmalicious powershell activitymalicious softwaremalvertisingmalwaremalware packermaritime transportmarkmonitormarkusmaudio firewiremaudio fwmcafeemediamedia centermedical servicesmediummessagemetadata analysismicrosoft waymirai botnetmisomitre attmobilemobile carriersmobile devicemobile networksmobile securitymodule loadmonitored targetmonitored tsaramonitoringmonths agomontserratmovedmovesmozillamp41 connectionmsiemutexes nothingmyappname domainname responsename serversname tacticsnamed pipeneshtaneshta virusnetwirenetworknetwork communicationnetwork namenetwork probingnetwork scanningnetwork trafficnetwork_cnc_httpnetwork_cnc_https_genericnews popularitynextnext associatedno expirationno meaningfulnorth americanothingnovno jannsonso groupnumberob0007 impactob0012 fileobsuga ceidgofficeoledomicrosoft conloadopen portsopen threatopenurl coperating systemoperating system securityorg facebookorg microsoftoutbound trafficoverview ippackerpackingpandaparagonparamspark countrypassenger transportationpassive dnspatch managementpath traversalpatient carepattern matchpayment processingpdb pathpe resourcepe sectionpegasuspegasus attackspeoplephishingpi zeropleasepolandpoland unknownportpost httpspragmaprecision agriculturepresent augpresent janpresent julpresent junpresent novpresent octpresent sepprocess injectionprocess oc0003process32nextwprogrampublic administrationpublic bgppublic infrastructurepublic licensepublic policypulse pulsespulse submitpulsespulses nonepulses otxpulses urlpushqbotqbot qakbotqbot typeqianxin reddripqmountquackbotquasar ratr connectionrail transportranks rankransomexxraspberry piratreadread creadme textreads selfreads_selfreconnaissancerecord valueredacted forredistributionsreferenrefreshregional securityregistry domainregulatory agenciesreimer dptrelated nidsrelated pulsesrelated tagsremoteremote accessremote access trojanremote servicesreport spamrequestresearchedresolved ipsresolverrestartreverse dnsreview excluderims httpsrole titleromania unknownrsartbitmap koreanrtcursor koreanrtdialog koreanrticon koreanrtstring koreanrun keysrussiasa victimsahilsamsungscan endpointsscreenscreenshots noscript tagsscripting attacksse extrase extrisea psearchsecure serversecurity operationsselectserver caserversserviceservice privacyserving ipsessionidshowshow processshow techniqueshowingsigning defensesizesize firstskynetslcc2snisocial engineeringsocial media attacksocial media manipulationsocial media securitysoftware developmentsoftware exploitationsoftware vulnerabilitiessonysophos newssourcesouth koreaspanspawnsspeakupspeedspoofedspyware infectionssdeepssl certificatestartupstatic pe anomalystatic_pe_anomalystatusstatus codestatus httpsstealerstopstreamstringsstrona rejestrustwa lredmondstyle1subjectsubject publicsuggest datasuricata alertsuspsustainable agriculturesystem oc0001systemdt1003.008t1005t1010t1011t1012t1016t1021t1021.001t1027t1030t1036t1041t1045t1047t1050t1053t1055t1056t1057t1059t1059.001t1059.003t1059.007t1060t1063t1064t1068t1069.001t1070t1071t1071.001t1071.004t1078t1078.004t1080t1086t1088t1105t1110t1110.001t1110.002t1110.003t1113t1119t1129t1133t1143t1147t1187t1189t1190t1203t1204t1204.001t1204.002t1210t1211t1213t1480t1480 executiont1485t1486t1496t1499t1499.002t1499.003t1528t1535t1553t1562t1564t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1568t1569.002t1573t1573.001t1583t1583.001t1587.001t1588.002t1588.006t1589t1589.001t1590t1590 gathert1590.001t1592t1595t1595.001t1595.002t1595.003ta0004 defenseta0009 commandtag managertags twittertargeted attacktaskjobtcp connectionstcp includetelecom servicestelecommunicationsthe programthis softwarethreat intelligencetinytitletitle addedtlstls handshaketls issuingtls webtofseetoolstop destinationtop sourcetransportation and warehousingtransportation infrastructuretransportation technologytreaty 6treaty 7treaty 8trid filetrojan downloadertrojan malwaretrojandroppertrusttwittertypetype indicatortypeid1u of au0019uncommentunicode textuniqueunitedunited kingdomunited statesunknown nsunknown soaupdate secureurlsurls httpsurls showusb massuser executionusugi dlautc facebookutc googleutc gsrdlm5jnx1utc gtmwrp73mtutc gzy6fm95cs5v3 serialvalue emailsvalue ingestionverdict mobileverdict vpnverifyvicevideoviprevirgin islandsvirtoolvirusvirustotal apivtapiwarzonewarzoneratwealth managementweb application exploitationweb attackweb exploitationweb securityweb trafficwebkit bugzillawhitewhoiswhois recordwhois serverwillow roadwin32 malwarewin32berbew julwindirwindows malwarewindows ntwininetwixwormwritewrite cx509v3 keyx509v3 subjectyara detectionyara detectionsyara rulezalogowanie sizero

Activity Timeline

1 total obs
Mar 20Mar 20

Threat Activity Heatmap

· Peak: 2026-03-20
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreMedium Risk
64
SIGNAL
Signal Score
64%
Confidence
5
Reports
First seenDec 3, 2021
Last seenMar 20, 2026
Verified IOC

VirusTotal

Not checked

WHOIS

registrar
1 API GmbH
description
-> Hostname: • edenglobalpartners.palantirfoundry.com • c.twitterintegration.com *Trojan:Win32/Vflooder.E IDS Detections: - Win32/Flooder.Agent.NAS CnC Domain in DNS Lookup • Virus Total vtapi DOS • Generic HTTP EXE Upload Inbound • Observed Suspicious UA (Mozilla/5.0) • Generic HTTP EXE Upload Outbound || *ALF:HSTR:KrunchyMalPacker!MTB IDS Detections -Win32/Vflooder.B Checkin • TLS Handshake Failure Yara Detections: kkrunchy023alpha2 Alerts: • static_pe_anomaly • suricata_alert • dynamic_function_loading • network_cnc_https_generic • reads_self • network_cnc_http • network_http • packer_unknown_pe_section_name • packer_entropy • injection_rwx || __________ IP’s Contacted: • 34.54.88.138 • 162.159.140.229 Domains Contacted • twitter.com (SBKA - Palantir?) • www.virustotal.com #botnetresulttesting #virustotal_unsafe #vtflooder #palantir #twitter #gotham foundry #brian_sabey_has_a_new_toy #targeting #tsara_brashears
domain rank
-1
raw
Domain Name: SSV4.NET Registry Domain ID: 1913787194_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.1api.net Registrar URL: http://www.1api.net Updated Date: 2018-05-10T15:29:59Z Creation Date: 2015-03-27T14:47:35Z Registry Expiry Date: 2018-03-27T14:47:35Z Registrar: 1 API GmbH Registrar IANA ID: 1387 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +49.6841.6984-200 Domain Status: clientHold https://icann.org/epp#clientHold Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: redemptionPeriod https://icann.org/epp#redemptionPeriod Name Server: DOMAIN.DOES.NOT.RESOLVE.ISPAPI.NET Name Server: DOMAIN.NAME.HAS.EXPIRED.ISPAPI.NET DNSSEC: unsigned Updated Date: 2018-05-02T15:08:45Z Registrar Registration Expiration Date: 2018-03-27T14:47:35Z Registrar: 1API GmbH Registrar Abuse Contact Phone: +49.68416984x200 Domain Status: clientTransferProhibited - http://www.icann.org/epp#clientTransferProhibited Registrant Country: GB Registrant Email: [REDACTED]@cat.net Admin Organization: Cat Networks Limited Admin City: Nottingham Admin Postal Code: NG8 5BY Admin Country: GB Admin Email: [REDACTED]@cat.net Tech Organization: Cat Networks Limited Tech City: Nottingham Tech Postal Code: NG8 5BY Tech Country: GB Tech Email: [REDACTED]@cat.net Name Server: domain.does.not.resolve.ispapi.net 1.1.1.1 Name Server: domain.name.has.expired.ispapi.net 1.1.1.1
references
palantirfoundry.com • https://edenglobalpartners.palantirfoundry.com/, 247seekscenter.com • ns-1986.awsdns-56.co.uk: | 365-notifcation.com, ETPRO TROJAN Win32/Oderoor Checkin • ET INFO DYNAMIC_DNS Query to *.dyndns. Domain, Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com), ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection, platform.twitter.co • rm.twitter.co • upload.twitter.co • http://2fsyndication.twitter.co/, http://legal.twitter.co • http://mobile.twitter.co/, ec2-44-228-94-74.us-west-2.compute.amazonaws.com • defender.palantirfoundry.com, https://embaxter.palantirfoundry.com • https://amgistudios.palantirfoundry.com, https://ametrine-containers.palantirfoundry.com • https://amfp.palantirfoundry.com, https://ameteklms.palantirfoundry.com • https://ametrine-compute.palantirfoundry.com, https://amiable-constellation.palantirfoundry.com • https://amplifi.palantirfoundry.com, https://oscar.palantirfoundry.com/ • https://replica.palantirfoundry.com/, https://statemed.palantirgov.com/workspace/settings/notifications • https://cchbc.palantirfoundry.com, https://test-1.washington.palantircloud.com • https://tarn.palantirgov.com • https://stateplatform.palantirgov.com, https://imperium-dev-1.palantircloud.com • https://hii.palantirgov.com • https://genoa.washington.palantircloud.com, tsystems.palantirfoundry.com • https://statemed.palantirgov.com • https://statecms.palantirgov.com, https://replica.palantirfoundry.com/ • https://spacejam.palantirfoundry.com/ •, https://pl.pornhub.mrst.one/ • hotamateurpornsite.xxx • squirting.porn • https://de-pornhub.mrst.one/, Hostname: hcl-dna-sandbox.palantirfoundry.com, https://www.hyundaitx.com/, ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check, https://remote.downloadnow-1.com/, Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp, Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection, Monitored Target - Spawned process "iexplore.exe" w/commandline "SCODEF:5860 CREDAT:275457 /prefetch:2" (Show Process) source, Monitored Target: Queries DNS server details "www.hyundaitx.com" source Network Traffic T1071.004, Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |, ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996, Facebook_1.pdf
subdomains count
29

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

high
First detected 4 years ago · Last seen 3 months ago
Appeared in 5 threat reports