IOC Radar
DomainMediumSignal 0/100

vultrusercontent.com

Location
CanadaCanada
First Seen
Aug 21, 2022
Last Seen
Jun 15, 2026
Aug 21
First Seen
1402d ago
Jun 15
Last Seen
7d ago
6
Reports
source reports
0%
Confidence
medium
Found in 6 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
0%
Signal Score
0 / 100
IDS Rule
No
Threat Context
Tags

Feed Intelligence Summary

6 reports0% confidence
6
Source reports
0%
Confidence score
Category tags
indicatornetworkresearched

Activity Timeline

1 total obs
Jun 15Jun 15

Threat Activity Heatmap

· Peak: 2026-06-15
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain **vultrusercontent.com** has been identified as a potential indicator of compromise (IOC) associated with malicious activities originating from Canada. First observed on August

Threat ScoreLow Risk
0
SIGNAL
Signal Score
0%
Confidence
6
Reports
First seenAug 21, 2022
Last seenJun 15, 2026

VirusTotal

Not checked

WHOIS

domain rank
-1
raw
Administrative city: Kirkland Administrative country: United States Administrative email: [email protected] Administrative state: WA Create date: 2022-03-10 Domain name: vultrusercontent.com Domain registrar id: 48 Domain registrar url: http://www.enom.com Expiry date: 2027-03-10 Name server 1: ns1.vultr.com Name server 2: ns2.vultr.com Query time: 2022-03-13 16:11:47 Registrant address: 5e8fe693989d7658 Registrant city: a864f65d8a34edc6 Registrant company: e3759ea30bf63405 Registrant country: United States Registrant email: [email protected] Registrant fax: a627dc8c8feff001 Registrant name: a64592f07fd69505 Registrant phone: 6609a847f6acec25 Registrant state: 6fa261c82e69525a Registrant zip: 4187ceb30384a7f2 Technical city: Kirkland Technical country: United States Technical email: [email protected] Technical state: WA Update date: 2022-03-10
references
All - EnterpriseAppsList.csv, AppRegistrationList.csv, https://tria.ge/240517-vc7c1shc62/behavioral1, https://tria.ge/240517-vdwb5shc71/behavioral1, https://tria.ge/240517-vqxezaaa33/behavioral1, https://tria.ge/240517-t9pc2ahb2t, https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark, https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs, https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph, https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary, https://www.filescan.io/uploads/66479b483313f70f0afe3dbb, https://www.filescan.io/uploads/664799c9d5c40bffee6106d7, Thor Scan: S-I9VvMTB6cZU, https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview, https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview, https://imp0rtp3.wordpress.com/2021/08/12/tetris/, https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview, https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview, https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview, https://tria.ge/240521-q4s79agb25/static1, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093, https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview, https://www.filescan.io/uploads/666d69ff6b8dba248b414767, https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3, https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b, Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2, https://www.hudsonrock.com/search?domain=ualberta.ca, https://www.criminalip.io/domain/report?scan_id=13798622, https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24, https://urlscan.io/search/#ualberta.ca, https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs, https://sitereport.netcraft.com/?url=http://ualberta.ca, https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/, https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll, https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark, https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22, https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22, https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22, https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22, https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List, Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks, Highlighted Text: The following text was observed as standard output, "[THEA-MALWARE]: Gimme Cum Pwease XD", Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e, Antivirus Detections: ELF:Mirai-AHC\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB, IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215), IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound, Yara Detections: Mirai_Botnet_Malware, High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc, Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope, Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1, ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1, Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth, Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security, Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth, Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security, https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth, Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52, Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,, Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0, Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http, IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1, IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response), IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style), IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags), IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010, IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com), IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection, Antivirus Detections Sf:WNCryLdr-A\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H, North American Aerospace Defense Command NORAD, superanalbizflowforum.com | www.networksolutions.com, http://superanalbizflowforum.com/tsara-lynn-brashears, ELF:Mirai-GH\ [Trj] Trojan:Win32/Cenjonsla.D!bit Trojan:Win32/SmokeLoader TrojanSpy:Win32/Small VirTool:Win32/Injector.gen!BQ, https://www.virustotal.com/gui/search/engines:trojan%20AND%20engines:dropper%20AND%20engines:razy%20AND%20engines:copak, ELF:Mirai-GH\ [Trj] : FileHash-SHA256 866dfa8f3e4f4f26b70fd046fa6dcbc16eea1abc3bfaddb099d675e77ce26942 trojan, Trojan:Win32/SmokeLoader : FileHash-SHA256 29d85b4c2d52a8bcb081aa40e3d4334a864e988e1fe17933f903b4114be8e56e, TrojanSpy:Win32/Small : FileHash-SHA256 afec8925c79d6bb948ce08df54753268f63b4cb770456e6b623d9985fb1499cd, Trojan:Win32/Cenjonsla.D!bit : FileHash-SHA256 8d5fe61f75602c85c9cd196e7accc17e119191655d4ecd56da498663f5a8c92b, VirTool:Win32/Injector.gen!BQ : FileHash-SHA256 a23846fe9a306c84eb1fb2b6b0b2b3a5fdbd958f747a10ccdb435d97e35de6f9, Malware Hosting: http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf, Malware : http://gomyron.com/MTgzNjk=/2/6433/ronnoagraug/ - Huawei HG532 RCE Vulnerability, Malware Hosting: 162.43.116.132 | 183.181.98.116, CVE-2017-17215 - Huawei HG532 RCE Vulnerability / Huawei Remote Command Execution - Outbound / Huawei Remote Command Execution, CVE-2017-8759 - ".NET Framework Remote Code Execution Vulnerability." CVE-2018-8453 - "Win32k Elevation of Privilege Vulnerability.', dev.dancerage.com - Unknown dev.sportshelves.com A 199.59.242.153| dev.sportshelves.com | www.imarkdev.com × 45.76.62.78 | ASN AS20473 the constant company llc, Exploit source: 138.197.103.178, https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, Ransomware: FileHash-SHA256 557f1759be4fdf6b9dff732c8e8aa369f4d7f9fe61a0c462c0dc8d30c2973812, https://thebrotherssabey.wordpress.com/, acam-mdn.apple.com, beacons.bcp.gvt.com, cpcontacts.webcamara.online, http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15, http://ti.hicloudcam.com, http://alohatube.xyz/search/tsara-brashears, https://www.anyxxxtube.net/search-porn/tsara-brashears/, https://search.app.goo.gl/?ofl, Worm:Win32/Benjamin, FileHash-SHA256 00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab, FileHash-MD5 ed5c771224fbd6f9b2c0cf1e8cce09b5, FileHash-SHA1 f336b50f5cca2ddc0341e2c4001b419a830d27a5, applemusic-spotlight.myunidays.com, nr-data.net, http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4, blackhat.store, api.telegram.org, cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php, https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html, WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4, MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com, CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke, Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems), ^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^, CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan, CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems), CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems), CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems), CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems), CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data, CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize, CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration), CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port), CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io), CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP), CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity), CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent, CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet, CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io), CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected, TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d, Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly, Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com, Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems), Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected, Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered, Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD, https://www.nextron-systems.com/notes-on-virustotal-matches/, TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645, Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,, IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI, https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection, Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042, https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2, https://www.youtube.com/watch?v=GyuMozsVyYs, Emotet | YouTube • Darklivity Podcast "Unhinged Horror", https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004, http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&, https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr, nr-data.net [Apple Private Data Collection], https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic, https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr, https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e, 114.114.114.114, http://login.live.com/oauth20_remoteconnect.srf, a-poster.info, https://www.sweetheartvideo.com/tsara-brashears/
subdomains count
122413

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 3 years ago · Last seen 7 days ago
Appeared in 6 threat reports