ThreatFox IOCs for 2022-01-14
ThreatFox IOCs for 2022-01-14
AI Analysis
Technical Summary
The provided information pertains to a set of Indicators of Compromise (IOCs) published on January 14, 2022, sourced from the ThreatFox MISP feed. ThreatFox is an open-source threat intelligence platform that aggregates and shares IOCs related to malware, network activity, and payload delivery. The data describes a medium severity malware threat primarily categorized under OSINT (Open Source Intelligence), payload delivery, and network activity. However, the details are minimal: no specific affected software versions, no known exploits in the wild, no patches available, and no concrete technical details beyond a threat level rating of 2 (on an unspecified scale), analysis rating of 1, and distribution rating of 3. The absence of concrete indicators or CWEs (Common Weakness Enumerations) limits the ability to precisely characterize the malware or its attack vectors. The threat appears to be a general notification of malware-related IOCs without detailed attribution or technical dissection. The 'type: osint' tag suggests this is primarily intelligence data for detection and response rather than a newly discovered vulnerability or exploit. Overall, this represents a medium-level malware threat identified via OSINT channels, focusing on payload delivery and network activity, but lacking detailed technical specifics or evidence of active exploitation.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the lack of detailed information on affected systems or active exploitation. However, as the threat involves malware delivery and network activity, there is a potential risk of infection leading to data compromise, disruption of services, or lateral movement within networks if the malware is successfully deployed. The medium severity rating suggests moderate risk, possibly indicating that the malware could be used in targeted attacks or campaigns but is not currently widespread or highly destructive. European entities with exposure to global threat intelligence feeds or those relying on OSINT for threat detection may benefit from incorporating these IOCs into their detection mechanisms to enhance early warning capabilities. Without specific affected products or vulnerabilities, the direct operational impact remains uncertain but warrants vigilance in monitoring network traffic and payload delivery mechanisms.
Mitigation Recommendations
Given the nature of this threat as an OSINT-derived set of IOCs for malware-related activity, European organizations should focus on enhancing detection and response capabilities rather than patching specific vulnerabilities. Practical mitigation steps include: 1) Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) tools to improve detection of related malware activity. 2) Conduct regular network traffic analysis to identify unusual payload delivery attempts or suspicious network activity consistent with the threat profile. 3) Maintain updated threat intelligence feeds and ensure security teams are trained to interpret and act on OSINT-derived indicators. 4) Implement strict network segmentation and least privilege access controls to limit potential lateral movement if infection occurs. 5) Employ robust email and web filtering solutions to reduce the risk of initial malware payload delivery. 6) Conduct regular user awareness training focused on recognizing phishing and social engineering tactics that often accompany payload delivery. These steps go beyond generic advice by emphasizing the operational integration of OSINT IOCs and proactive network monitoring tailored to the threat's characteristics.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy
Indicators of Compromise
- url: http://robotically.xyz/wp-content/xtkkx/
- file: 142.11.244.223
- hash: 443
- file: 192.236.194.72
- hash: 443
- file: 192.119.110.4
- hash: 443
- hash: 3bb970ec5ce98d3945badae0c544dc03400858bcaf3908285d1dda102f644a0b
- hash: 3b87d2d1a31c2cc49f365fce8aa50e034d72c44a9ec9c29f5f253da7a424b8ea
- hash: 5e31a1960b0ee0ce4e0d02d08adb7647d9d3aae75393fd718594a73fd12d6f46
- hash: 1b7512dc2c7e944f29436876f8d1e942a70100fdf7fcc7ed8d34e23ae31c669e
- url: http://shopnhap.com/highbinder/uedvfthdf5em40/
- hash: b8bed0211974f32db2c385350fb62954f0b0f335bc592b51144027956524d674
- hash: 22cb98a4832824adc290e8a9541b50228f4f75fb1a8e621fd80d4d2be7ed73f9
- hash: 8c0272f6d0136bb8adeb659d8de19a4be68a81fc018587275e045103fc01b49d
- hash: 012ce05f8263d161d4387749446cb3df3240fd33cf71dfb3f48dc4f4c9354298
- url: https://celhocortofilmfestival.stream/css/naq/
- url: http://insertcatherreview.xyz/wp-includes/uulqtc51sl8izbt/
- url: http://bbc-us.com/wp-admin/48r6tif1qtmqrao/
- file: 185.140.53.132
- hash: 1604
- hash: 4162cc11cc30f7db7c8a151252a7e63e78dd4c03c995e2ab6e225dc811b8fd48
- hash: e997341ab2422f5471f4c9f1df84f7a52e16fa38d64e6e0f4f94859cc234e2f8
- hash: 35da284a91a4217dddc3207fe0b20ae37a2126e33c1b57c5fa65e2e14b72e9ba
- hash: 5edfc7353c1aa6b23547357f576453b48059bb994824fd67002f13906000cf9d
- hash: c47ffaadc73b46ad2ea10a4fc2108e35e88ea5f0b3552606a87305e2aab13b7f
- hash: 3b4b7e29adf8ff8cf49cdb924de689cdb735a12ebd78dd29537e81a9454e9631
- hash: 93d545c83fa462035ae0c2aa0036db008fc4bdf3d10ec89c6f0b6699b09c6fbf
- hash: 30e1ba61a63a27b668eee09f960a83d944e878c33b46f85ea86bacdf1427f4dd
- url: http://slimpackage.com/slimfit/five/fre.php
- domain: 2t2ev5giwktc5o9.quest
- domain: 3f2ocy9clt90x74.one
- domain: 6v2mofchw2eix98.quest
- domain: a575hh752dp9l6c.one
- domain: ki6hcax6c1ehe5j.one
- domain: lc83k0l0bdl6u41.one
- domain: mxaflbsa3chjk0i.quest
- domain: nm542iefjijgl2n.one
- domain: r4nrjfmlc3k7z00.quest
- domain: t5ctg9k9cpdmhjt.quest
- hash: a2b8128f9686d68437b6ce9f4e0fb09b6301cfa43f8bd7daf022912f778cebb5
- hash: bb6109acc2b7474d53e223a5756822fb77b8b7495af31ffdeb90dd2e8584e17b
- hash: a5e8e8d270c1f8e2c8d30bfcb2f3c0029f318e5c0b94ef883544c5caa429cacf
- hash: b2258d48681423e06c71cee3484c629607b9eeb0d2f99d209fb10e4d9522ed7e
- domain: www3.cloud
- domain: api.www3.cloud
- domain: news.www3.cloud
- hash: 9e2502b3945f31482623e8e61dcb85b9ebb7d9a4244d9074fa289596c9da513e
- hash: 097a53e95523a6627511ab11904ab7fba846da6e85ce5cb2dc4f8a6c577228a0
- hash: 0d072a60b433f330d2ba97d75eae7af07e9d75bc6ed5b1065287661d05e82ab6
- hash: 9679f0e8f63974d80f953b8212b2668c27ec9762cdcf6acbfd4fdf4b6d189f23
- url: http://2.arthaloca.com/styles/ds5rnprosfcabltyewo/
- url: http://slimpackage.com/slimmain/five/fre.php
- url: https://45.156.24.200:443/g.pixel
- url: https://107.172.89.110:443/updates.rss
- url: http://170.39.214.187:80/g.pixel
- url: https://43.156.8.120:443/ie9compatviewlist.xml
- url: http://1.1.1.1:2222/ptj
- url: http://64.52.169.174:9999/cx
- url: http://69.172.75.132:8443/cm
- url: https://www.msrcc.tk:443/cx
- url: https://106.13.95.3:443/fwlink
- url: https://106.52.131.175:443/image
- url: https://1.14.148.85:443/cx
- hash: e3af866c7760f95afa5352ec3845697a17354305f5797a69538bb637f8bbf4fe
- hash: f85293eec1a9d86cdb45979a7a90265d9082148898d583b1baaf8c7ae3e1047a
- hash: 5c037c7c1338cf54a9d1e81b74bb4ad003e1a254069a03499426ec1600a748d9
- hash: 6cb775a7c9b0cf8ba308029dc623e1de6d17cb2ab6b7ebbbd9c16bfcaa55efe8
- url: http://adi.iswks.com/assets/ho1v71pqfnn/
- url: http://64.52.169.174:80/updates.rss
- file: 212.193.30.54
- hash: 8754
- url: https://estts.net:443/ptj
- url: https://5.39.221.60:443/ptj
- url: https://69.172.75.132:443/cm
- url: https://cs.eeeqq.tk:443/g.pixel
- file: 107.189.1.53
- hash: 6738
- hash: 9cb252d017b68a7906e842f51e5c9ba737567a6a85ba14666aa54c5c1b93ebb6
- hash: 881d216bda06fbcd5809ba113ee4574fb5d464dbe464e8627b52973c08dba5a3
- hash: 87d380f12b61ff49af7680e3dd4cb7c0415be71811a565fa4736c6430e629974
- hash: 428181d7903c358f27f2607b8caf6468eaae1bff1a0b7747904db042cbc2cafd
- hash: 50bee5c11d3905157aa3aa461b9da69cc05c90d748330e98324cc36815610bc0
- hash: dd1f717452d1875bf3af9fde8d4ac06514ff9b05e58c579e6ad5f2b0a5f4d51f
- hash: 51d9617958b9509bf33f82f6d4f213d80b88fe4cf74efb0166b5fc6db2ddff63
- hash: 1cf27ab77a771ff942b1e2947856844fbab4991cf87aca618968445b5c5d706d
- hash: e93370bd5b2ede03153fa579529406ea68c1e1072416a3523cb000180f7c0ecb
- hash: d6f20ad67b08f29828c05878f4381065d8634085129d70d637effae9e6226a1a
- hash: 1be428f924402d7cc4586ca37a9e843c869b394f85085db5e4e85d150aa87e04
- hash: b50e88d7d4ed87c10772d463b0649bb735a426230576e4b3ee8fd0b67f0dbc44
- hash: 966557b6f228eda641e155a858f574654e431743311d83e4841013d63044a994
- hash: 44e305db99461f07b7cff6648b50531771361a4dfafa69991527d3963eb88dd2
- hash: 901ad7435c05bf0fee8f05128d43b805a25dff60a442ba8482c0cac32ba380a8
- hash: c8fe81088b2caa9df35d92a588fb266a145c95b81b5c66d5bfe181fa73b17d82
- url: https://69.172.75.132:443/dpixel
- url: http://42.192.160.91:8080/pixel.gif
- url: https://124.223.17.79/image/
- file: 124.223.17.79
- hash: 443
- url: http://124.71.111.23:1111/api/x
- file: 124.71.111.23
- hash: 1111
- url: http://120.79.10.121/updates
- url: http://121.5.175.66/__utm.gif
- file: 121.5.175.66
- hash: 80
- url: https://193.242.145.134/stop/v1.42/3zbzo7gp
- file: 193.242.145.134
- hash: 443
- url: https://103.45.142.124/updates.rss
- file: 103.45.142.124
- hash: 443
- file: 112.74.105.133
- hash: 8080
- file: 45.11.47.244
- hash: 4444
- url: http://service-09d0zmmi-1309015260.gz.apigw.tencentcs.com/api/x
- file: 121.5.63.127
- hash: 80
- url: https://43.239.159.3/cx
- file: 43.239.159.3
- hash: 443
- url: https://47.90.202.152:443/__utm.gif
- url: https://www.cyberevilcorp.tk:443/en_us/all.js
- url: http://178.128.244.245/search.php?key=9fdacf1307e35d047a008c29da6e9968
- url: https://45.64.184.144:443/pixel.gif
- url: https://43.239.159.3:443/ca
- hash: f2da177aff59093abe1d3bc7c1a769be2701784036c398900a43725d83c9e9a9
- hash: 9ca32954bc9ae96f11d246ca45443522a731631c154f768938c556869e01b555
- hash: c48f7949e36ea00828f752c9a5a2baa48fa6f867ba9013025b6d6cb858f31768
- hash: c16082d1e821a819ea4d274e12d7d656e83b359b2ca7b33de143e60affc7b1b2
- hash: 3cbf94c22af49ad9be152750428263c826c9b020036a0321f10f9fe2eed6ae52
- hash: 9d69632f6791492fadab28bea034f7f18d29bc67fd6e7db08bdba847487da47f
- hash: 4dfa1bc1558cd76b1c9cf89cf7a3ca77170452041c32ee28d9c239e4249c394f
- hash: 5f1da4ecb8c7d741c4b8263ade13d80369a9caad14a119063c809cdd3bd97e40
- hash: aeed1bf32df36ad3ccc929987dbd30e2b1836c267223614d3648b3027e23e1fe
- hash: e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
- hash: 3bb8ef6eaec03c54c6c517000575ef943577ca0a71e61fd29257786991306133
- hash: e91644f9cffb58e260facf0cb5abd35f9b0da2e5129803a6d4e7b8802814d752
- url: https://43.239.159.3:443/cx
- url: https://143.198.102.5:443/cx
- url: https://test2.bilibili.cc:443/visit.js
- url: https://1.15.80.102:443/load
- url: https://45.145.6.5:443/dot.gif
- url: https://185.186.142.101:443/g.pixel
- url: http://service-9ce967gj-1258736518.sh.apigw.tencentcs.com:80/api/x
- url: http://111.123.50.42:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- url: https://150.158.75.242:443/ptj
- url: https://service-14v4pnqn-1259219677.sh.apigw.tencentcs.com:443/api/x
- url: https://www.cctv003.tk:8443/match
- url: http://10.37.129.13:80/ga.js
- url: http://therecyclingmachine.com/wp-admin/lzpozslkq90fyt1/
- url: http://zhongmaifangwu.com/test777/3u4un0u/
- url: http://moversphiladelphia.org/cmsxml/9byfsxp/
- url: https://8.210.224.18:443/messages/2i2ga6wsjrx4e0xchuu3kbgu-crd4la
- url: https://91.213.50.101:443/ca
- url: http://75.119.146.209
- url: http://lopatuniscuasesrsas.xyz
- url: http://andosuaieupdatesignau.ml
- url: http://yoklesfomerdesgomres.net
- file: 185.140.53.10
- hash: 9090
- url: http://mercygreig437.website
- url: http://kateflowers325.website
- url: http://rivkagreig23.website
- file: 3.131.207.170
- hash: 10778
- file: 3.22.53.161
- hash: 10778
- file: 52.14.18.129
- hash: 10778
- url: http://pplonline.org/cgi//6.jpg
- url: http://pplonline.org/cgi//1.jpg
- url: http://pplonline.org/cgi//2.jpg
- url: http://pplonline.org/cgi//3.jpg
- url: http://pplonline.org/cgi//4.jpg
- url: http://pplonline.org/cgi//5.jpg
- url: http://pplonline.org/cgi//7.jpg
- url: http://5.199.162.229:80/nv.css
- url: https://sophospanels.com:443/nv.css
- file: 95.143.179.185
- hash: 31334
- file: 103.153.78.234
- hash: 8951
- file: 20.79.206.212
- hash: 6000
- url: http://jnxxx1.xyz/jrm/w2/fre.php
- file: 185.80.53.106
- hash: 80
- url: http://64.52.169.174:9999/dpixel
- file: 81.91.178.186
- hash: 19410
- file: 3.134.125.175
- hash: 13467
- file: 3.14.182.203
- hash: 13467
- url: http://romebor.com:80/jquery-3.3.1.min.js
- url: https://jnxxx1.xyz/jrm/w2/fre.php
- file: 5.149.255.205
- hash: 80
- file: 116.202.24.62
- hash: 9295
- file: 95.143.177.76
- hash: 34098
- file: 185.215.113.64
- hash: 25828
- hash: 2d2ceb896bf2f2af272245a052c936a9e45df7bded60a09ba3a1debc3aff1c4c
- hash: b4a63629d1d2c8b7320b1372cf46e3e0c05bf1d1ddf7f89deb644aacf9e51f3b
- hash: d26cea6912e11e87d9fa8782f69b01d38c4e8d40c9548341629b8281f9aa2ab0
- hash: 72ca3e2f8479a075c8e089f543f79c4f1cf868d66d3272b2e6b0f0fded1bdb60
- hash: 248ce8f51907aa4a7ce3ae5f9c947a30a7844340bae4a3621d4e0234ba18dc22
- url: https://www.siole.tk/ie9compatviewlist.xml
- hash: 93fddb1a745fec7ae8bc3a7f8d66ce73b1841998e9b0589790e924ff6efb6a05
- hash: 164149035d4a3d2edba76c0601f6f83e04d45d7c057d221130c57fc9b13fd5b5
- hash: 2476273703617870ae392f166bc07d346596d23a159bf762fd5468844b70e33f
- hash: 07f9220fe1879a72e9570c31869a19b40ba97a990a9300198af5d016806499c0
- file: 109.205.178.244
- hash: 6688
- url: http://91.213.50.101:3389/cm
- hash: b93b9b8c9bbc90a761f62b17adc1b6662de922acd463d7fc6af09869afdc29d4
- hash: 1d91b2f83ced053a62d4ae0289ac87fdf7557f684c8c67f56529126186bb5ef4
- hash: 45fa3b802a5d7e2c3687dbb1957e5cda1715b5d741f40d80d672bbf73d5d8b3e
- hash: 23abc535e7b9fe582b338c82884a2f0ea164a62d38132b9e205f87b1591fd243
- hash: 900e115c271f29c66454e91f168be012c2ae5d307c86b70e8d595e0bade388c6
- hash: bdaae5a1a9b92e3e85fa026ae9f6b375eda1eb75a31fa122b204418ff83fc36c
- hash: feb40c343aa65f5f5c0a32443535effa22652067c576416857e4d7280ce85e11
- hash: 33bb2954b5efd072d71b4d7bf79eb609e4143a01023c15f8239f3a93561052e0
- url: http://adreylinkm.temp.swtest.ru/panel/adnim.php
- file: 212.193.30.28
- hash: 2050
- url: https://194.147.142.163:443/g.pixel
- url: http://39.96.34.51/cm
- file: 39.96.34.51
- hash: 80
- file: 49.232.110.30
- hash: 80
- file: 107.189.12.189
- hash: 1791
- file: 45.150.67.126
- hash: 12829
- file: 91.142.78.221
- hash: 19473
- domain: childhome4100.duckdns.org
- file: 194.5.98.28
- hash: 4100
- hash: f2c5e8d5a5f0c2b5fbb3ac5361b1de3fa179baee1c863d62ac47fd3b5277ce4d
- hash: 3309dbe5abab38f952ca3a478531e9ff57a1ef4654f988c53dbc9e08da7ac9db
- hash: 9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d
- hash: 1cdc472f08bc86830018711d971f1efc634d01f8a8635996d274388bc27953e7
- file: 207.32.218.86
- hash: 38565
- file: 207.32.219.80
- hash: 39824
- file: 78.46.137.240
- hash: 21314
- url: http://badmakeup.biz/dhl/3ez4gms65gk6bgxd/
- file: 185.222.57.80
- hash: 6275
- url: http://47.254.235.229/7/universal/httpflower1track/bigloadpacketcdn/localsecure/eternalpipebigloadsqldownloads.php
- file: 208.167.249.72
- hash: 2943
- file: 138.201.2.2
- hash: 2022
- file: 62.182.156.179
- hash: 46840
- url: http://185.112.83.116:80/_/scs/mail-static/_/js/
- url: http://d18krv932r2kbr.cloudfront.net:80/access/
- url: https://107.173.82.245:443/ptj
- url: https://45.61.139.86:443/cx
- url: https://jdk9.jp.ngrok.io:443/visit.js
- url: https://155.94.138.16:443/ca
- url: https://47.90.202.152:443/load
- url: https://45.195.15.124:443/match
- file: 185.112.83.116
- hash: 8080
- file: 185.112.83.116
- hash: 80
- url: https://ec2-35-177-95-190.eu-west-2.compute.amazonaws.com/real-world-investing/
- hash: 0a150f4647b60f84416e88dfd6dc5e22faa88b08551397e861b7b2ccaa9ed085
- hash: a15f8c268f7dfbd6b2c0aea83c52a7d5530c4cd8a10d2d1bf1f7bed97807e3c3
- hash: 3a52ca55d7a163c15e187788137f8cb1b4a84779ec7de748463f1aa23314e901
- hash: d6f3d5fbdc9c7f68e29260badb6fd6e8f1b606798fd9fe544e0b28387f21eaf9
- url: http://118.193.62.241:81/push
- file: 118.193.62.241
- hash: 81
- url: http://94.103.9.48/dpixel
- file: 94.103.9.48
- hash: 80
- url: http://210.108.146.194:5353/ga.js
- file: 210.108.146.194
- hash: 5353
- url: https://user.hsafe.xyz/wp08/wp-includes/dtcla.php
- file: 198.55.102.254
- hash: 443
- url: https://www.palauhealths.com/security-details.a52152.js
- file: 149.28.80.59
- hash: 443
- url: https://94.103.9.48/push
- file: 94.103.9.48
- hash: 443
- url: http://143.244.165.123/visit.js
- url: http://138.68.155.70/dpixel
- file: 143.244.165.123
- hash: 80
- url: http://158.247.204.207:1111/load
- file: 158.247.204.207
- hash: 1111
- url: http://192.168.2.194/api/getit
- file: 1.14.98.183
- hash: 80
- url: http://192.241.137.180/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- url: http://newsdoom.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- file: 192.241.137.180
- hash: 80
- url: http://45.156.24.200:86/cm
- file: 45.156.24.200
- hash: 86
- url: https://147.182.205.242/jquery-3.3.1.min.js
- file: 147.182.205.242
- hash: 443
- url: http://1.15.41.163:8089/wp08/wp-includes/dtcla.php
- file: 1.15.41.163
- hash: 8089
- url: http://service-ir7mxmrz-1255840758.bj.apigw.tencentcs.com/api/getit
- file: 8.142.39.2
- hash: 80
- url: https://serverworker.com/bg
- file: 77.83.199.189
- hash: 443
- url: http://23.227.198.246/templates.js
- file: 23.227.198.246
- hash: 80
- url: https://176.121.14.54/image/
- file: 176.121.14.54
- hash: 443
- url: https://znertino.com/get
- file: 45.227.255.157
- hash: 443
- url: http://47.242.29.98:49154/dot.gif
- file: 47.242.29.98
- hash: 49154
- url: https://b2bdirector.com:1443/search
- file: 23.227.202.109
- hash: 1443
- url: http://8.214.23.44:8080/ie9compatviewlist.xml
- file: 8.214.23.44
- hash: 8080
- url: https://149.255.35.131/rn.css
- file: 149.255.35.131
- hash: 443
- file: 52.128.229.4
- hash: 80
- url: https://www.hsanzsa.xyz/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- file: 45.32.26.111
- hash: 443
- url: http://195.242.111.157/mqew
- file: 195.242.111.157
- hash: 80
- file: 136.144.41.15
- hash: 1312
ThreatFox IOCs for 2022-01-14
Description
ThreatFox IOCs for 2022-01-14
AI-Powered Analysis
Technical Analysis
The provided information pertains to a set of Indicators of Compromise (IOCs) published on January 14, 2022, sourced from the ThreatFox MISP feed. ThreatFox is an open-source threat intelligence platform that aggregates and shares IOCs related to malware, network activity, and payload delivery. The data describes a medium severity malware threat primarily categorized under OSINT (Open Source Intelligence), payload delivery, and network activity. However, the details are minimal: no specific affected software versions, no known exploits in the wild, no patches available, and no concrete technical details beyond a threat level rating of 2 (on an unspecified scale), analysis rating of 1, and distribution rating of 3. The absence of concrete indicators or CWEs (Common Weakness Enumerations) limits the ability to precisely characterize the malware or its attack vectors. The threat appears to be a general notification of malware-related IOCs without detailed attribution or technical dissection. The 'type: osint' tag suggests this is primarily intelligence data for detection and response rather than a newly discovered vulnerability or exploit. Overall, this represents a medium-level malware threat identified via OSINT channels, focusing on payload delivery and network activity, but lacking detailed technical specifics or evidence of active exploitation.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the lack of detailed information on affected systems or active exploitation. However, as the threat involves malware delivery and network activity, there is a potential risk of infection leading to data compromise, disruption of services, or lateral movement within networks if the malware is successfully deployed. The medium severity rating suggests moderate risk, possibly indicating that the malware could be used in targeted attacks or campaigns but is not currently widespread or highly destructive. European entities with exposure to global threat intelligence feeds or those relying on OSINT for threat detection may benefit from incorporating these IOCs into their detection mechanisms to enhance early warning capabilities. Without specific affected products or vulnerabilities, the direct operational impact remains uncertain but warrants vigilance in monitoring network traffic and payload delivery mechanisms.
Mitigation Recommendations
Given the nature of this threat as an OSINT-derived set of IOCs for malware-related activity, European organizations should focus on enhancing detection and response capabilities rather than patching specific vulnerabilities. Practical mitigation steps include: 1) Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) tools to improve detection of related malware activity. 2) Conduct regular network traffic analysis to identify unusual payload delivery attempts or suspicious network activity consistent with the threat profile. 3) Maintain updated threat intelligence feeds and ensure security teams are trained to interpret and act on OSINT-derived indicators. 4) Implement strict network segmentation and least privilege access controls to limit potential lateral movement if infection occurs. 5) Employ robust email and web filtering solutions to reduce the risk of initial malware payload delivery. 6) Conduct regular user awareness training focused on recognizing phishing and social engineering tactics that often accompany payload delivery. These steps go beyond generic advice by emphasizing the operational integration of OSINT IOCs and proactive network monitoring tailored to the threat's characteristics.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- fc63303d-587f-4ae1-8951-34da47de05c7
- Original Timestamp
- 1642204983
Indicators of Compromise
Url
Value | Description | Copy |
---|---|---|
urlhttp://robotically.xyz/wp-content/xtkkx/ | Emotet payload delivery URL (confidence level: 90%) | |
urlhttp://shopnhap.com/highbinder/uedvfthdf5em40/ | Emotet payload delivery URL (confidence level: 90%) | |
urlhttps://celhocortofilmfestival.stream/css/naq/ | Emotet payload delivery URL (confidence level: 90%) | |
urlhttp://insertcatherreview.xyz/wp-includes/uulqtc51sl8izbt/ | Emotet payload delivery URL (confidence level: 90%) | |
urlhttp://bbc-us.com/wp-admin/48r6tif1qtmqrao/ | Emotet payload delivery URL (confidence level: 90%) | |
urlhttp://slimpackage.com/slimfit/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://2.arthaloca.com/styles/ds5rnprosfcabltyewo/ | Emotet payload delivery URL (confidence level: 90%) | |
urlhttp://slimpackage.com/slimmain/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttps://45.156.24.200:443/g.pixel | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://107.172.89.110:443/updates.rss | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://170.39.214.187:80/g.pixel | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://43.156.8.120:443/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://1.1.1.1:2222/ptj | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://64.52.169.174:9999/cx | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://69.172.75.132:8443/cm | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://www.msrcc.tk:443/cx | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://106.13.95.3:443/fwlink | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://106.52.131.175:443/image | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://1.14.148.85:443/cx | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://adi.iswks.com/assets/ho1v71pqfnn/ | Emotet payload delivery URL (confidence level: 90%) | |
urlhttp://64.52.169.174:80/updates.rss | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://estts.net:443/ptj | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://5.39.221.60:443/ptj | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://69.172.75.132:443/cm | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://cs.eeeqq.tk:443/g.pixel | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://69.172.75.132:443/dpixel | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://42.192.160.91:8080/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.223.17.79/image/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.71.111.23:1111/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://120.79.10.121/updates | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://121.5.175.66/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://193.242.145.134/stop/v1.42/3zbzo7gp | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://103.45.142.124/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-09d0zmmi-1309015260.gz.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.239.159.3/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.90.202.152:443/__utm.gif | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://www.cyberevilcorp.tk:443/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://178.128.244.245/search.php?key=9fdacf1307e35d047a008c29da6e9968 | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttps://45.64.184.144:443/pixel.gif | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://43.239.159.3:443/ca | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://43.239.159.3:443/cx | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://143.198.102.5:443/cx | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://test2.bilibili.cc:443/visit.js | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://1.15.80.102:443/load | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://45.145.6.5:443/dot.gif | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://185.186.142.101:443/g.pixel | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://service-9ce967gj-1258736518.sh.apigw.tencentcs.com:80/api/x | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://111.123.50.42:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://150.158.75.242:443/ptj | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://service-14v4pnqn-1259219677.sh.apigw.tencentcs.com:443/api/x | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://www.cctv003.tk:8443/match | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://10.37.129.13:80/ga.js | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://therecyclingmachine.com/wp-admin/lzpozslkq90fyt1/ | Emotet payload delivery URL (confidence level: 90%) | |
urlhttp://zhongmaifangwu.com/test777/3u4un0u/ | Emotet payload delivery URL (confidence level: 90%) | |
urlhttp://moversphiladelphia.org/cmsxml/9byfsxp/ | Emotet payload delivery URL (confidence level: 90%) | |
urlhttps://8.210.224.18:443/messages/2i2ga6wsjrx4e0xchuu3kbgu-crd4la | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://91.213.50.101:443/ca | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://75.119.146.209 | Alien botnet C2 (confidence level: 80%) | |
urlhttp://lopatuniscuasesrsas.xyz | Alien botnet C2 (confidence level: 80%) | |
urlhttp://andosuaieupdatesignau.ml | Alien botnet C2 (confidence level: 80%) | |
urlhttp://yoklesfomerdesgomres.net | Alien botnet C2 (confidence level: 80%) | |
urlhttp://mercygreig437.website | Hydra botnet C2 (confidence level: 80%) | |
urlhttp://kateflowers325.website | Hydra botnet C2 (confidence level: 80%) | |
urlhttp://rivkagreig23.website | Hydra botnet C2 (confidence level: 80%) | |
urlhttp://pplonline.org/cgi//6.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://pplonline.org/cgi//1.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://pplonline.org/cgi//2.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://pplonline.org/cgi//3.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://pplonline.org/cgi//4.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://pplonline.org/cgi//5.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://pplonline.org/cgi//7.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://5.199.162.229:80/nv.css | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://sophospanels.com:443/nv.css | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://jnxxx1.xyz/jrm/w2/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://64.52.169.174:9999/dpixel | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://romebor.com:80/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://jnxxx1.xyz/jrm/w2/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttps://www.siole.tk/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://91.213.50.101:3389/cm | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://adreylinkm.temp.swtest.ru/panel/adnim.php | Azorult botnet C2 (confidence level: 100%) | |
urlhttps://194.147.142.163:443/g.pixel | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://39.96.34.51/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://badmakeup.biz/dhl/3ez4gms65gk6bgxd/ | Emotet payload delivery URL (confidence level: 90%) | |
urlhttp://47.254.235.229/7/universal/httpflower1track/bigloadpacketcdn/localsecure/eternalpipebigloadsqldownloads.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://185.112.83.116:80/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttp://d18krv932r2kbr.cloudfront.net:80/access/ | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://107.173.82.245:443/ptj | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://45.61.139.86:443/cx | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://jdk9.jp.ngrok.io:443/visit.js | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://155.94.138.16:443/ca | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://47.90.202.152:443/load | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://45.195.15.124:443/match | Cobalt Strike botnet C2 (confidence level: 50%) | |
urlhttps://ec2-35-177-95-190.eu-west-2.compute.amazonaws.com/real-world-investing/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://118.193.62.241:81/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://94.103.9.48/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://210.108.146.194:5353/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://user.hsafe.xyz/wp08/wp-includes/dtcla.php | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://www.palauhealths.com/security-details.a52152.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://94.103.9.48/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://143.244.165.123/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://138.68.155.70/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://158.247.204.207:1111/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://192.168.2.194/api/getit | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://192.241.137.180/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://newsdoom.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.156.24.200:86/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://147.182.205.242/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.15.41.163:8089/wp08/wp-includes/dtcla.php | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-ir7mxmrz-1255840758.bj.apigw.tencentcs.com/api/getit | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://serverworker.com/bg | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://23.227.198.246/templates.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://176.121.14.54/image/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://znertino.com/get | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.242.29.98:49154/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://b2bdirector.com:1443/search | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.214.23.44:8080/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://149.255.35.131/rn.css | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://www.hsanzsa.xyz/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://195.242.111.157/mqew | Cobalt Strike botnet C2 (confidence level: 100%) |
File
Value | Description | Copy |
---|---|---|
file142.11.244.223 | DanaBot botnet C2 server (confidence level: 100%) | |
file192.236.194.72 | DanaBot botnet C2 server (confidence level: 100%) | |
file192.119.110.4 | DanaBot botnet C2 server (confidence level: 100%) | |
file185.140.53.132 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file212.193.30.54 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file107.189.1.53 | Mirai botnet C2 server (confidence level: 75%) | |
file124.223.17.79 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.71.111.23 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file121.5.175.66 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file193.242.145.134 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.45.142.124 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file112.74.105.133 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.11.47.244 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file121.5.63.127 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.239.159.3 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.140.53.10 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file3.131.207.170 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.22.53.161 | NjRAT botnet C2 server (confidence level: 100%) | |
file52.14.18.129 | NjRAT botnet C2 server (confidence level: 100%) | |
file95.143.179.185 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file103.153.78.234 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file20.79.206.212 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file185.80.53.106 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file81.91.178.186 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file3.134.125.175 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.14.182.203 | NjRAT botnet C2 server (confidence level: 100%) | |
file5.149.255.205 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file116.202.24.62 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file95.143.177.76 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file185.215.113.64 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file109.205.178.244 | NetWire RC botnet C2 server (confidence level: 100%) | |
file212.193.30.28 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file39.96.34.51 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file49.232.110.30 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file107.189.12.189 | Mirai botnet C2 server (confidence level: 75%) | |
file45.150.67.126 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file91.142.78.221 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file194.5.98.28 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file207.32.218.86 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file207.32.219.80 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file78.46.137.240 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file185.222.57.80 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file208.167.249.72 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file138.201.2.2 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file62.182.156.179 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file185.112.83.116 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file185.112.83.116 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file118.193.62.241 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file94.103.9.48 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file210.108.146.194 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file198.55.102.254 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file149.28.80.59 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file94.103.9.48 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file143.244.165.123 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file158.247.204.207 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.14.98.183 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file192.241.137.180 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.156.24.200 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file147.182.205.242 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.15.41.163 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.142.39.2 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file77.83.199.189 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.227.198.246 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file176.121.14.54 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.227.255.157 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.242.29.98 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.227.202.109 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.214.23.44 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file149.255.35.131 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file52.128.229.4 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.32.26.111 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file195.242.111.157 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file136.144.41.15 | Mirai botnet C2 server (confidence level: 75%) |
Hash
Value | Description | Copy |
---|---|---|
hash443 | DanaBot botnet C2 server (confidence level: 100%) | |
hash443 | DanaBot botnet C2 server (confidence level: 100%) | |
hash443 | DanaBot botnet C2 server (confidence level: 100%) | |
hash3bb970ec5ce98d3945badae0c544dc03400858bcaf3908285d1dda102f644a0b | Emotet payload (confidence level: 50%) | |
hash3b87d2d1a31c2cc49f365fce8aa50e034d72c44a9ec9c29f5f253da7a424b8ea | Emotet payload (confidence level: 50%) | |
hash5e31a1960b0ee0ce4e0d02d08adb7647d9d3aae75393fd718594a73fd12d6f46 | Emotet payload (confidence level: 50%) | |
hash1b7512dc2c7e944f29436876f8d1e942a70100fdf7fcc7ed8d34e23ae31c669e | Emotet payload (confidence level: 50%) | |
hashb8bed0211974f32db2c385350fb62954f0b0f335bc592b51144027956524d674 | Amadey payload (confidence level: 50%) | |
hash22cb98a4832824adc290e8a9541b50228f4f75fb1a8e621fd80d4d2be7ed73f9 | Amadey payload (confidence level: 50%) | |
hash8c0272f6d0136bb8adeb659d8de19a4be68a81fc018587275e045103fc01b49d | Amadey payload (confidence level: 50%) | |
hash012ce05f8263d161d4387749446cb3df3240fd33cf71dfb3f48dc4f4c9354298 | Amadey payload (confidence level: 50%) | |
hash1604 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash4162cc11cc30f7db7c8a151252a7e63e78dd4c03c995e2ab6e225dc811b8fd48 | Amadey payload (confidence level: 50%) | |
hashe997341ab2422f5471f4c9f1df84f7a52e16fa38d64e6e0f4f94859cc234e2f8 | Amadey payload (confidence level: 50%) | |
hash35da284a91a4217dddc3207fe0b20ae37a2126e33c1b57c5fa65e2e14b72e9ba | Amadey payload (confidence level: 50%) | |
hash5edfc7353c1aa6b23547357f576453b48059bb994824fd67002f13906000cf9d | Amadey payload (confidence level: 50%) | |
hashc47ffaadc73b46ad2ea10a4fc2108e35e88ea5f0b3552606a87305e2aab13b7f | Nanocore RAT payload (confidence level: 50%) | |
hash3b4b7e29adf8ff8cf49cdb924de689cdb735a12ebd78dd29537e81a9454e9631 | Nanocore RAT payload (confidence level: 50%) | |
hash93d545c83fa462035ae0c2aa0036db008fc4bdf3d10ec89c6f0b6699b09c6fbf | Nanocore RAT payload (confidence level: 50%) | |
hash30e1ba61a63a27b668eee09f960a83d944e878c33b46f85ea86bacdf1427f4dd | Nanocore RAT payload (confidence level: 50%) | |
hasha2b8128f9686d68437b6ce9f4e0fb09b6301cfa43f8bd7daf022912f778cebb5 | Emotet payload (confidence level: 50%) | |
hashbb6109acc2b7474d53e223a5756822fb77b8b7495af31ffdeb90dd2e8584e17b | Emotet payload (confidence level: 50%) | |
hasha5e8e8d270c1f8e2c8d30bfcb2f3c0029f318e5c0b94ef883544c5caa429cacf | Emotet payload (confidence level: 50%) | |
hashb2258d48681423e06c71cee3484c629607b9eeb0d2f99d209fb10e4d9522ed7e | Emotet payload (confidence level: 50%) | |
hash9e2502b3945f31482623e8e61dcb85b9ebb7d9a4244d9074fa289596c9da513e | Formbook payload (confidence level: 50%) | |
hash097a53e95523a6627511ab11904ab7fba846da6e85ce5cb2dc4f8a6c577228a0 | Formbook payload (confidence level: 50%) | |
hash0d072a60b433f330d2ba97d75eae7af07e9d75bc6ed5b1065287661d05e82ab6 | Formbook payload (confidence level: 50%) | |
hash9679f0e8f63974d80f953b8212b2668c27ec9762cdcf6acbfd4fdf4b6d189f23 | Formbook payload (confidence level: 50%) | |
hashe3af866c7760f95afa5352ec3845697a17354305f5797a69538bb637f8bbf4fe | Amadey payload (confidence level: 50%) | |
hashf85293eec1a9d86cdb45979a7a90265d9082148898d583b1baaf8c7ae3e1047a | Amadey payload (confidence level: 50%) | |
hash5c037c7c1338cf54a9d1e81b74bb4ad003e1a254069a03499426ec1600a748d9 | Amadey payload (confidence level: 50%) | |
hash6cb775a7c9b0cf8ba308029dc623e1de6d17cb2ab6b7ebbbd9c16bfcaa55efe8 | Amadey payload (confidence level: 50%) | |
hash8754 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash6738 | Mirai botnet C2 server (confidence level: 75%) | |
hash9cb252d017b68a7906e842f51e5c9ba737567a6a85ba14666aa54c5c1b93ebb6 | LokiBot payload (confidence level: 50%) | |
hash881d216bda06fbcd5809ba113ee4574fb5d464dbe464e8627b52973c08dba5a3 | LokiBot payload (confidence level: 50%) | |
hash87d380f12b61ff49af7680e3dd4cb7c0415be71811a565fa4736c6430e629974 | LokiBot payload (confidence level: 50%) | |
hash428181d7903c358f27f2607b8caf6468eaae1bff1a0b7747904db042cbc2cafd | LokiBot payload (confidence level: 50%) | |
hash50bee5c11d3905157aa3aa461b9da69cc05c90d748330e98324cc36815610bc0 | Amadey payload (confidence level: 50%) | |
hashdd1f717452d1875bf3af9fde8d4ac06514ff9b05e58c579e6ad5f2b0a5f4d51f | Amadey payload (confidence level: 50%) | |
hash51d9617958b9509bf33f82f6d4f213d80b88fe4cf74efb0166b5fc6db2ddff63 | Raccoon payload (confidence level: 50%) | |
hash1cf27ab77a771ff942b1e2947856844fbab4991cf87aca618968445b5c5d706d | Amadey payload (confidence level: 50%) | |
hashe93370bd5b2ede03153fa579529406ea68c1e1072416a3523cb000180f7c0ecb | Raccoon payload (confidence level: 50%) | |
hashd6f20ad67b08f29828c05878f4381065d8634085129d70d637effae9e6226a1a | Amadey payload (confidence level: 50%) | |
hash1be428f924402d7cc4586ca37a9e843c869b394f85085db5e4e85d150aa87e04 | Amadey payload (confidence level: 50%) | |
hashb50e88d7d4ed87c10772d463b0649bb735a426230576e4b3ee8fd0b67f0dbc44 | Raccoon payload (confidence level: 50%) | |
hash966557b6f228eda641e155a858f574654e431743311d83e4841013d63044a994 | Amadey payload (confidence level: 50%) | |
hash44e305db99461f07b7cff6648b50531771361a4dfafa69991527d3963eb88dd2 | Amadey payload (confidence level: 50%) | |
hash901ad7435c05bf0fee8f05128d43b805a25dff60a442ba8482c0cac32ba380a8 | Raccoon payload (confidence level: 50%) | |
hashc8fe81088b2caa9df35d92a588fb266a145c95b81b5c66d5bfe181fa73b17d82 | Amadey payload (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1111 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hashf2da177aff59093abe1d3bc7c1a769be2701784036c398900a43725d83c9e9a9 | Agent Tesla payload (confidence level: 50%) | |
hash9ca32954bc9ae96f11d246ca45443522a731631c154f768938c556869e01b555 | Agent Tesla payload (confidence level: 50%) | |
hashc48f7949e36ea00828f752c9a5a2baa48fa6f867ba9013025b6d6cb858f31768 | Agent Tesla payload (confidence level: 50%) | |
hashc16082d1e821a819ea4d274e12d7d656e83b359b2ca7b33de143e60affc7b1b2 | Agent Tesla payload (confidence level: 50%) | |
hash3cbf94c22af49ad9be152750428263c826c9b020036a0321f10f9fe2eed6ae52 | Agent Tesla payload (confidence level: 50%) | |
hash9d69632f6791492fadab28bea034f7f18d29bc67fd6e7db08bdba847487da47f | Agent Tesla payload (confidence level: 50%) | |
hash4dfa1bc1558cd76b1c9cf89cf7a3ca77170452041c32ee28d9c239e4249c394f | Agent Tesla payload (confidence level: 50%) | |
hash5f1da4ecb8c7d741c4b8263ade13d80369a9caad14a119063c809cdd3bd97e40 | Agent Tesla payload (confidence level: 50%) | |
hashaeed1bf32df36ad3ccc929987dbd30e2b1836c267223614d3648b3027e23e1fe | Amadey payload (confidence level: 50%) | |
hashe7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca | Amadey payload (confidence level: 50%) | |
hash3bb8ef6eaec03c54c6c517000575ef943577ca0a71e61fd29257786991306133 | Amadey payload (confidence level: 50%) | |
hashe91644f9cffb58e260facf0cb5abd35f9b0da2e5129803a6d4e7b8802814d752 | Amadey payload (confidence level: 50%) | |
hash9090 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash10778 | NjRAT botnet C2 server (confidence level: 100%) | |
hash10778 | NjRAT botnet C2 server (confidence level: 100%) | |
hash10778 | NjRAT botnet C2 server (confidence level: 100%) | |
hash31334 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash8951 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash6000 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash80 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash19410 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash13467 | NjRAT botnet C2 server (confidence level: 100%) | |
hash13467 | NjRAT botnet C2 server (confidence level: 100%) | |
hash80 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash9295 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash34098 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash25828 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash2d2ceb896bf2f2af272245a052c936a9e45df7bded60a09ba3a1debc3aff1c4c | NjRAT payload (confidence level: 50%) | |
hashb4a63629d1d2c8b7320b1372cf46e3e0c05bf1d1ddf7f89deb644aacf9e51f3b | NjRAT payload (confidence level: 50%) | |
hashd26cea6912e11e87d9fa8782f69b01d38c4e8d40c9548341629b8281f9aa2ab0 | NjRAT payload (confidence level: 50%) | |
hash72ca3e2f8479a075c8e089f543f79c4f1cf868d66d3272b2e6b0f0fded1bdb60 | NjRAT payload (confidence level: 50%) | |
hash248ce8f51907aa4a7ce3ae5f9c947a30a7844340bae4a3621d4e0234ba18dc22 | Agent Tesla payload (confidence level: 50%) | |
hash93fddb1a745fec7ae8bc3a7f8d66ce73b1841998e9b0589790e924ff6efb6a05 | Amadey payload (confidence level: 50%) | |
hash164149035d4a3d2edba76c0601f6f83e04d45d7c057d221130c57fc9b13fd5b5 | Amadey payload (confidence level: 50%) | |
hash2476273703617870ae392f166bc07d346596d23a159bf762fd5468844b70e33f | Amadey payload (confidence level: 50%) | |
hash07f9220fe1879a72e9570c31869a19b40ba97a990a9300198af5d016806499c0 | Amadey payload (confidence level: 50%) | |
hash6688 | NetWire RC botnet C2 server (confidence level: 100%) | |
hashb93b9b8c9bbc90a761f62b17adc1b6662de922acd463d7fc6af09869afdc29d4 | Amadey payload (confidence level: 50%) | |
hash1d91b2f83ced053a62d4ae0289ac87fdf7557f684c8c67f56529126186bb5ef4 | Amadey payload (confidence level: 50%) | |
hash45fa3b802a5d7e2c3687dbb1957e5cda1715b5d741f40d80d672bbf73d5d8b3e | Amadey payload (confidence level: 50%) | |
hash23abc535e7b9fe582b338c82884a2f0ea164a62d38132b9e205f87b1591fd243 | Amadey payload (confidence level: 50%) | |
hash900e115c271f29c66454e91f168be012c2ae5d307c86b70e8d595e0bade388c6 | Formbook payload (confidence level: 50%) | |
hashbdaae5a1a9b92e3e85fa026ae9f6b375eda1eb75a31fa122b204418ff83fc36c | Formbook payload (confidence level: 50%) | |
hashfeb40c343aa65f5f5c0a32443535effa22652067c576416857e4d7280ce85e11 | Formbook payload (confidence level: 50%) | |
hash33bb2954b5efd072d71b4d7bf79eb609e4143a01023c15f8239f3a93561052e0 | Formbook payload (confidence level: 50%) | |
hash2050 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1791 | Mirai botnet C2 server (confidence level: 75%) | |
hash12829 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash19473 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash4100 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hashf2c5e8d5a5f0c2b5fbb3ac5361b1de3fa179baee1c863d62ac47fd3b5277ce4d | Amadey payload (confidence level: 50%) | |
hash3309dbe5abab38f952ca3a478531e9ff57a1ef4654f988c53dbc9e08da7ac9db | Amadey payload (confidence level: 50%) | |
hash9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d | Amadey payload (confidence level: 50%) | |
hash1cdc472f08bc86830018711d971f1efc634d01f8a8635996d274388bc27953e7 | Amadey payload (confidence level: 50%) | |
hash38565 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash39824 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash21314 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash6275 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash2943 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash2022 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash46840 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash0a150f4647b60f84416e88dfd6dc5e22faa88b08551397e861b7b2ccaa9ed085 | Agent Tesla payload (confidence level: 50%) | |
hasha15f8c268f7dfbd6b2c0aea83c52a7d5530c4cd8a10d2d1bf1f7bed97807e3c3 | Agent Tesla payload (confidence level: 50%) | |
hash3a52ca55d7a163c15e187788137f8cb1b4a84779ec7de748463f1aa23314e901 | Agent Tesla payload (confidence level: 50%) | |
hashd6f3d5fbdc9c7f68e29260badb6fd6e8f1b606798fd9fe544e0b28387f21eaf9 | Agent Tesla payload (confidence level: 50%) | |
hash81 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash5353 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1111 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash86 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8089 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash49154 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1312 | Mirai botnet C2 server (confidence level: 75%) |
Domain
Value | Description | Copy |
---|---|---|
domain2t2ev5giwktc5o9.quest | Astaroth botnet C2 domain (confidence level: 100%) | |
domain3f2ocy9clt90x74.one | Astaroth botnet C2 domain (confidence level: 100%) | |
domain6v2mofchw2eix98.quest | Astaroth botnet C2 domain (confidence level: 100%) | |
domaina575hh752dp9l6c.one | Astaroth botnet C2 domain (confidence level: 100%) | |
domainki6hcax6c1ehe5j.one | Astaroth botnet C2 domain (confidence level: 100%) | |
domainlc83k0l0bdl6u41.one | Astaroth botnet C2 domain (confidence level: 100%) | |
domainmxaflbsa3chjk0i.quest | Astaroth botnet C2 domain (confidence level: 100%) | |
domainnm542iefjijgl2n.one | Astaroth botnet C2 domain (confidence level: 100%) | |
domainr4nrjfmlc3k7z00.quest | Astaroth botnet C2 domain (confidence level: 100%) | |
domaint5ctg9k9cpdmhjt.quest | Astaroth botnet C2 domain (confidence level: 100%) | |
domainwww3.cloud | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainapi.www3.cloud | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainnews.www3.cloud | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainchildhome4100.duckdns.org | Nanocore RAT botnet C2 domain (confidence level: 100%) |
Threat ID: 68359c9d5d5f0974d01f6ff4
Added to database: 5/27/2025, 11:06:05 AM
Last enriched: 7/5/2025, 11:12:02 PM
Last updated: 8/14/2025, 6:06:17 AM
Views: 10
Related Threats
ThreatFox IOCs for 2025-08-14
MediumOn Going Malvertising Attack Spreads New Crypto Stealing PS1Bot Malware
MediumA Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode
MediumPhantomCard: New NFC-driven Android malware emerging in Brazil
MediumThreatFox IOCs for 2025-08-13
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.