otx.alienvault.com
Open in
urlscan Pro
99.86.4.91
Public Scan
URL:
https://otx.alienvault.com/pulse/6213ad9cfa105eaa69e553d2?scan=1&utm_userid=swimlanecyou&utm_medium=inproduct&utm_source=ot...
Submission: On February 23 via api from US — Scanned from DE
Submission: On February 23 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form _ngcontent-ydo-c132="" novalidate="" class="login ng-untouched ng-pristine ng-invalid" id="welcomeLoginForm-pulse-detail" __bizdiag="-695151727" __biza="WJ__">
<div _ngcontent-ydo-c132="" class="form-group"><label _ngcontent-ydo-c132="" for="id_login">Username</label><input _ngcontent-ydo-c132="" container="body" formcontrolname="login" id="id_login" name="login" placement="right" type="text"
class="form-control input-alienvault ng-untouched ng-pristine ng-invalid"><!----></div>
<div _ngcontent-ydo-c132="" class="form-group"><label _ngcontent-ydo-c132="" for="id_password">Password</label><input _ngcontent-ydo-c132="" container="body" formcontrolname="password" id="id_password" name="password" placement="right"
type="password" class="form-control input-alienvault ng-untouched ng-pristine ng-invalid"><!----></div><button _ngcontent-ydo-c132="" id="loginBtn" type="submit" class="btn btn-att disabled" disabled=""> Log in
<i _ngcontent-ydo-c132="" aria-hidden="true" class="fa fa-chevron-right smaller"></i></button>
<div _ngcontent-ydo-c132="" class="remember-checkbox"><label _ngcontent-ydo-c132=""><input _ngcontent-ydo-c132="" id="id_remember" name="remember" type="checkbox"> REMEMBER ME</label></div>
</form>Text Content
× * Browse * Scan Endpoints * Create Pulse * Submit Sample * API Integration * Login | Sign Up All * Login | Sign Up * Share Actions Subscribers (176286) Suggest Edit Clone Embed Download Report Spam TEAMTNT CRYPTOMINING EXPLOSION * Created 2 days ago * Modified 2 days ago by AlienVault * Public * TLP: White Over the past year the TeamTNT threat actor has been very active. TeamTNT is one of the predominant cryptojacking threat actors currently targeting Linux servers. This blog investigates the threat actor’s activity and their Tactics, Techniques and Procedures (TTPs)—providing all of this information in one place so security teams can better detect and prevent attacks from TeamTNT. Reference: https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/ Tags: xmrig miner, teamtnt, tsunami, diamorphine, docker, kubernetes, worm, mirai Adversary: TeamTNT Malware Families: XMRig Miner , Diamorphine , Summer , Tsunami , TeamTNT , Watchdogd , Ezuri Att&ck IDs: T1059 - Command and Scripting Interpreter , T1525 - Implant Internal Image , T1014 - Rootkit , T1036 - Masquerading , T1033 - System Owner/User Discovery , T1003 - OS Credential Dumping , T1102 - Web Service , T1071 - Application Layer Protocol , T1113 - Screen Capture , T1021 - Remote Services , T1566 - Phishing , T1049 - System Network Connections Discovery , T1218 - Signed Binary Proxy Execution , T1046 - Network Service Scanning , T1027 - Obfuscated Files or Information , T1574 - Hijack Execution Flow , T1530 - Data from Cloud Storage Object , T1543 - Create or Modify System Process , T1082 - System Information Discovery , T1485 - Data Destruction , T1490 - Inhibit System Recovery , T1070 - Indicator Removal on Host Endpoint Security Scan your endpoints for IOCs from this Pulse! Learn more * Indicators of Compromise (287) * Related Pulses (120) * Comments (0) * History (0) Domain (3)Other (13)URL (4)FileHash-SHA256 (114)FileHash-MD5 (75)FileHash-SHA1 (75) TYPES OF INDICATORS China (8)Switzerland (1)Germany (2)Netherlands (1) THREAT INFRASTRUCTURE Show 10 25 50 100 entries Search: type indicator Role title Added Active related Pulses hostnamethe.borg.wtfFeb 21, 2022, 3:19:58 PM8 hostnameteamtnt.twilightparadox.comFeb 21, 2022, 3:19:58 PM1 hostnameirc.borg.wtfFeb 21, 2022, 3:19:58 PM11 domainteamtnt.redFeb 21, 2022, 3:19:58 PM31 domainkaiserfranz.ccFeb 21, 2022, 3:19:58 PM6 URLhttp://teamtnt.red/blog/Kubernetes.txt.Feb 21, 2022, 3:19:58 PM1 URLhttp://45.9.148.123/MoneroOcean/sh/init.shFeb 21, 2022, 3:19:58 PM1 URLhttp://45.9.148.123/COVID19/init.shPOSIX shell script, ASCII text executable, with very long linesFeb 21, 2022, 3:19:58 PM1 IPv485.214.149.236Feb 21, 2022, 3:19:58 PM32 IPv445.9.150.36Feb 21, 2022, 3:19:58 PM13 SHOWING 1 TO 10 OF 287 ENTRIES 1 2 3 4 5 ... 29 Next COMMENTS You must be logged in to leave a comment. Refresh Comments * © Copyright 2022 AlienVault, Inc. * Legal * Status Login to Initiate Scan × * Sign Up * Log In or Username Password Log in REMEMBER ME Recover Your Password | Resend Verification Email