ThreatFox IOCs for 2022-05-09
ThreatFox IOCs for 2022-05-09
AI Analysis
Technical Summary
The provided threat information pertains to a collection of Indicators of Compromise (IOCs) published on May 9, 2022, by ThreatFox, a platform specializing in sharing threat intelligence data. The threat is classified as malware-related and is associated with OSINT (Open Source Intelligence) tools or data. However, the description and technical details are minimal, with no specific malware family, attack vectors, or affected software versions identified. The threat level is rated as 2 on an unspecified scale, with analysis level 1 and distribution level 3, suggesting moderate dissemination but limited detailed analysis. There are no known exploits in the wild linked to this threat, and no CWE (Common Weakness Enumeration) identifiers or patch links are provided. The absence of specific indicators or affected versions implies that this is a general intelligence update rather than a targeted vulnerability or active malware campaign. The threat is tagged with TLP:WHITE, indicating that the information is not sensitive and can be freely shared. Overall, this entry appears to be a repository update of malware-related IOCs without direct evidence of active exploitation or a defined attack surface.
Potential Impact
Given the lack of detailed technical information, specific malware behavior, or active exploitation reports, the immediate impact on European organizations is likely limited. However, the distribution level of 3 suggests that the IOCs may be relevant for detection and prevention efforts across multiple environments. European organizations relying on OSINT tools or threat intelligence platforms might benefit from integrating these IOCs into their security monitoring to enhance detection capabilities. The medium severity rating indicates a moderate risk, potentially from malware that could be used in targeted attacks or as part of broader campaigns. Without concrete exploit data, the threat primarily represents a potential risk vector that could be leveraged if combined with other vulnerabilities or social engineering tactics. Consequently, the impact is more preventive and intelligence-driven rather than indicative of an immediate operational threat.
Mitigation Recommendations
1. Integrate the provided IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to improve detection of related malware activity. 2. Regularly update threat intelligence feeds and ensure that OSINT tools used by the organization are configured to consume and act upon the latest IOC data. 3. Conduct periodic threat hunting exercises using these IOCs to identify any latent infections or suspicious activity within the network. 4. Enhance employee awareness programs focusing on recognizing malware infection vectors, especially those related to OSINT and open-source tools. 5. Maintain robust patch management and system hardening practices, even though no specific patches are linked to this threat, to reduce the attack surface for potential malware exploitation. 6. Collaborate with national and European cybersecurity information sharing organizations to stay informed about emerging threats and validate the relevance of these IOCs in the local context.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- file: 149.202.251.90
- hash: 1791
- file: 107.172.0.101
- hash: 45
- url: http://cp.saol.com/cgi_bins/team/panel/gate.php
- url: http://23.224.61.63/dpixel
- file: 23.224.61.63
- hash: 80
- url: http://1.117.89.216/__utm.gif
- file: 1.117.89.216
- hash: 80
- url: http://1cs.ad5f82e879a9c5d6b5b442eb37e50551.cc:8080/j.ad
- url: http://2cs.ad5f82e879a9c5d6b5b442eb37e50551.cc:8080/ptj
- file: 45.61.185.229
- hash: 8080
- url: https://cs.vcat.ml/ga.js
- file: 140.238.16.235
- hash: 443
- url: http://124.222.248.86:22222/cm
- file: 124.222.248.86
- hash: 22222
- url: https://101.36.107.228/cm
- file: 101.36.107.228
- hash: 443
- file: 46.3.112.227
- hash: 4444
- url: http://23.227.168.242:6667/cx
- file: 23.227.168.242
- hash: 6667
- url: https://8.210.154.177:2096/image/
- url: https://104.21.82.49:2096/image/
- url: https://flash-update.tk:2096/image/
- file: 8.210.154.177
- hash: 2096
- url: http://www.superingectorw.com/updates.rss
- file: 5.42.199.39
- hash: 80
- hash: 9cc89c892ff117b3b92f4a4f6f7b9d565fc31eb74bdce3150754660a9809bf33
- hash: a2418c7a868c57a8cfd1b070e19347877b56b4c572b5565c8334605d454f1a6f
- hash: b5e605312267e9e4b2fc3947569d23b9aac690131dc8c1d571bc7549cfae1efd
- hash: 56f2883d96e8b478ccc8851a95327284f6b80dff07344de5f1365d45f7a53a34
- hash: 3f069c378185dd3ca84fdbfe6bb959707e0f5c0c93f9a923687c5270cfaff563
- hash: 76747fc801356f70063e643d6abced64e52421757eda7633b9b9ecaf26ea9eb3
- hash: a1d35c61b662c9bd99855d0e1d4bbe0405ac9cc8414eb8f3789757007d4ec4ea
- hash: caf9e910917fac385fa7ebb0f1b10b2578df10903f83418dc94393f7610605d2
- hash: 44cccbe14f1f35b7982ae34069c33e1344c6effb8c084cfef7ccb6bd7b28ae71
- hash: 33d8e19b8c060b9592543ded64ef2790d5bf3e11ef997f7acdcd64ea8506a6d1
- hash: c2486d6e712d7ea059f881cbe37c86534f8d7d25368d0ef1337bc1011c3dbfa7
- hash: d3246aa37087bb0d0018a1bf4dc33c3a55efda9396bf7927d747a5a0bb75ad3e
- hash: ae64cd40d636bdf1335f142522684d51e63f2e51c092709af84ecc6d9cc5c002
- hash: 6187513e51b502e45932e3bbaea9fd5a06ffc2c9ef6c40a27621c017a7c8f14b
- hash: cb4f0f68dacf3b0deddf62a86e6d8d4963ba941f6aadf2f874ece8ee3768ab54
- hash: 99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548
- hash: fff7a3c8bd4187dc481b67336aa15c846409fc76deeebc6516e5e7c6b40210cc
- hash: c2852625f0cecb5f260077caca416d2ea19f223cf9c3f5c50c926529070f3958
- hash: f1b82f72bd4fae05c9ec6a1e83959e3c7c0690640dcf125bdc6312b24e6e47ec
- hash: 4f06d7b11608c4990a46f91120d6e7a76e778111c6dd70a06c518b66c0cda123
- hash: 1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3
- hash: 4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9
- url: http://91.213.50.102/updates.rss
- file: 185.81.68.45
- hash: 443
- url: http://s496138.smrtp.ru/panel/fre.php
- file: 185.9.147.79
- hash: 80
- file: 103.153.254.67
- hash: 5555
- url: http://dlokis.xyz/sz/ps/sim.php
- url: http://sempersim.su/gf18/fre.php
- url: http://85.202.169.147/index.php
- url: http://pooaperadas.co.vu
- url: http://varvurgecbizimlegel.co.vu
- url: http://mynameisonderlandto666onderland.xyz/
- url: http://fudlasaplayeemmkehhd.co.vu
- url: http://49.12.247.65
- url: http://latsgetd0xx4covu.co.vu
- url: http://alisverissayfamda.shop
- url: http://hekreskldlldolmaz.co.vu
- url: http://hafsaoneill68.top
- url: http://sameerfreeman537.top
- url: http://str1str2.xyz/6.jpg
- url: http://str1str2.xyz/1.jpg
- url: http://str1str2.xyz/2.jpg
- url: http://str1str2.xyz/3.jpg
- url: http://str1str2.xyz/4.jpg
- url: http://str1str2.xyz/5.jpg
- url: http://str1str2.xyz/7.jpg
- file: 172.94.88.13
- hash: 5888
- file: 91.193.75.132
- hash: 3434
- url: http://119.91.74.118/push
- url: https://101.33.241.37/j.ad
- file: 101.33.241.37
- hash: 443
- url: http://107.150.126.47/visit.js
- file: 107.150.126.47
- hash: 80
- url: http://198.46.199.168/550/vbc.exe
- url: https://nowancenorly.ddns.net
- url: http://185.233.38.221/updateflowerdatalifewp.php
- url: http://198.187.30.47/p.php?id=614956569061910
- file: 80.66.88.54
- hash: 80
- url: http://113.161.58.249:53864/mozi.m
- url: http://8.141.159.248:4001/en_us/all.js
- file: 8.141.159.248
- hash: 4001
- url: http://47.93.235.240:9898/dot.gif
- url: https://dodsafespace.org/pickup
- file: 139.59.68.42
- hash: 443
- url: https://104.168.153.6/j.ad
- file: 104.168.153.6
- hash: 443
- url: http://8.141.153.76:3000/g.pixel
- file: 8.141.153.76
- hash: 3000
- url: http://eclu.pl/api/fetch
- url: http://4uklew74b1.execute-api.us-east-1.amazonaws.com/api/fetch
- file: 51.83.250.196
- hash: 80
- url: https://139.155.25.252/cm
- file: 139.155.25.252
- hash: 443
- url: http://42.193.20.129/cx
- file: 42.193.20.129
- hash: 80
- url: http://47.97.38.197:22413/pixel.gif
- file: 47.97.38.197
- hash: 22413
- url: http://42.193.105.60:7777/en_us/all.js
- file: 42.193.105.60
- hash: 7777
- hash: a580994f4dc7ddcff680a36683ca44e9dcd6ba6c7d787626cbce16d18d46381f
- url: https://cdn-102.bayfiles.com/z68fx4eay1/c2caab48-1652043448/jo.jpg
- url: http://45.133.1.41/ony3/inc/b8970c3d73430d.php
- file: 194.146.24.66
- hash: 11400
- url: http://45.133.1.41/max/inc/8a37641a98efbd.php
- file: 101.42.229.118
- hash: 80
- url: http://78.94.208.254/visit.js
- url: http://194.31.98.183/index.php
- file: 45.142.122.52
- hash: 1312
- url: http://sempersim.su/gf16/fre.php
- url: http://sempersim.su/gf22/fre.php
- domain: fasebrewer.site
- domain: carrowtwo.com
- file: 20.89.177.186
- hash: 21245
- url: http://138.201.149.43/1kaufvertrag682/
- url: http://138.201.149.43/1kaufvertrag682/as.ps1
- url: http://138.201.149.43/1kaufvertrag682/arkaiserin.vbs
- url: http://198.23.251.5/mee.exe
- url: http://sempersim.su/gf14/fre.php
- file: 185.215.113.94
- hash: 15995
- url: http://sempersim.su/fo/fre.php
- url: http://3.122.113.204/providerupdateflowergeneratortrack.php
- url: https://ipfs.io/ipfs/qmqbpupxy3nzjk2yvspsujvhutajafrqpnjc58racujfrh?filename=inv-scl0093-05-22pdf.exe
- file: 212.193.30.101
- hash: 7661
- url: https://hawman.cc.dvrlists.com
- hash: 50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee
- url: https://freshdirect.dvrlists.com
- file: 149.57.168.225
- hash: 36063
- file: 23.227.198.195
- hash: 443
- file: 23.227.203.120
- hash: 443
- url: http://116.193.154.61:8866/j.ad
- file: 116.193.154.61
- hash: 8866
- url: http://iqiy1.tk/api/3
- file: 101.35.161.9
- hash: 80
- url: https://95.211.26.159/search
- file: 95.211.26.159
- hash: 443
- url: http://116.205.228.41:8081/en_us/all.js
- file: 116.205.228.41
- hash: 8081
- url: http://91.243.44.9:8890/ucd
- file: 91.243.44.9
- hash: 8890
- url: https://1.116.96.210:19443/api/3
- file: 1.116.96.210
- hash: 19443
- url: http://23.106.123.18/be
- file: 23.106.123.18
- hash: 80
- url: http://119.45.164.232/ie9compatviewlist.xml
- file: 119.45.164.232
- hash: 80
- file: 31.210.20.56
- hash: 2404
- file: 107.175.94.137
- hash: 9931
- file: 5.199.173.20
- hash: 443
- file: 107.172.0.101
- hash: 9375
- file: 45.67.35.151
- hash: 8965
- file: 198.244.142.77
- hash: 5552
- url: http://service-4u30t4nh-1305010017.sh.apigw.tencentcs.com/api/x
- file: 8.142.44.127
- hash: 80
- url: http://84.38.133.116/clouddoc/vbc.exe
- url: https://ny-city-mall.com/search.php
- url: https://fresh-cars.net/search.php
- url: http://51.91.35.167/order/winlogon.exe
- url: http://198.12.81.20/book/book.exe
- url: http://198.46.199.168/500/vbc.exe
- url: http://31.172.66.22/datalifepublic.php
ThreatFox IOCs for 2022-05-09
Description
ThreatFox IOCs for 2022-05-09
AI-Powered Analysis
Technical Analysis
The provided threat information pertains to a collection of Indicators of Compromise (IOCs) published on May 9, 2022, by ThreatFox, a platform specializing in sharing threat intelligence data. The threat is classified as malware-related and is associated with OSINT (Open Source Intelligence) tools or data. However, the description and technical details are minimal, with no specific malware family, attack vectors, or affected software versions identified. The threat level is rated as 2 on an unspecified scale, with analysis level 1 and distribution level 3, suggesting moderate dissemination but limited detailed analysis. There are no known exploits in the wild linked to this threat, and no CWE (Common Weakness Enumeration) identifiers or patch links are provided. The absence of specific indicators or affected versions implies that this is a general intelligence update rather than a targeted vulnerability or active malware campaign. The threat is tagged with TLP:WHITE, indicating that the information is not sensitive and can be freely shared. Overall, this entry appears to be a repository update of malware-related IOCs without direct evidence of active exploitation or a defined attack surface.
Potential Impact
Given the lack of detailed technical information, specific malware behavior, or active exploitation reports, the immediate impact on European organizations is likely limited. However, the distribution level of 3 suggests that the IOCs may be relevant for detection and prevention efforts across multiple environments. European organizations relying on OSINT tools or threat intelligence platforms might benefit from integrating these IOCs into their security monitoring to enhance detection capabilities. The medium severity rating indicates a moderate risk, potentially from malware that could be used in targeted attacks or as part of broader campaigns. Without concrete exploit data, the threat primarily represents a potential risk vector that could be leveraged if combined with other vulnerabilities or social engineering tactics. Consequently, the impact is more preventive and intelligence-driven rather than indicative of an immediate operational threat.
Mitigation Recommendations
1. Integrate the provided IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to improve detection of related malware activity. 2. Regularly update threat intelligence feeds and ensure that OSINT tools used by the organization are configured to consume and act upon the latest IOC data. 3. Conduct periodic threat hunting exercises using these IOCs to identify any latent infections or suspicious activity within the network. 4. Enhance employee awareness programs focusing on recognizing malware infection vectors, especially those related to OSINT and open-source tools. 5. Maintain robust patch management and system hardening practices, even though no specific patches are linked to this threat, to reduce the attack surface for potential malware exploitation. 6. Collaborate with national and European cybersecurity information sharing organizations to stay informed about emerging threats and validate the relevance of these IOCs in the local context.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- f0cb5b0e-98d9-40e4-9e95-2a45d0acf610
- Original Timestamp
- 1652140983
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file149.202.251.90 | Mirai botnet C2 server (confidence level: 75%) | |
file107.172.0.101 | Mirai botnet C2 server (confidence level: 75%) | |
file23.224.61.63 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.117.89.216 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.61.185.229 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file140.238.16.235 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.222.248.86 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file101.36.107.228 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file46.3.112.227 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.227.168.242 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.210.154.177 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file5.42.199.39 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.81.68.45 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.9.147.79 | Loki Password Stealer (PWS) botnet C2 server (confidence level: 100%) | |
file103.153.254.67 | Mirai botnet C2 server (confidence level: 75%) | |
file172.94.88.13 | Remcos botnet C2 server (confidence level: 75%) | |
file91.193.75.132 | Nanocore RAT botnet C2 server (confidence level: 75%) | |
file101.33.241.37 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file107.150.126.47 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file80.66.88.54 | IcedID Downloader botnet C2 server (confidence level: 75%) | |
file8.141.159.248 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file139.59.68.42 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.168.153.6 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.141.153.76 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file51.83.250.196 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file139.155.25.252 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file42.193.20.129 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.97.38.197 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file42.193.105.60 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file194.146.24.66 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file101.42.229.118 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.142.122.52 | Mirai botnet C2 server (confidence level: 75%) | |
file20.89.177.186 | Orcus RAT botnet C2 server (confidence level: 100%) | |
file185.215.113.94 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file212.193.30.101 | Remcos botnet C2 server (confidence level: 75%) | |
file149.57.168.225 | Mirai botnet C2 server (confidence level: 75%) | |
file23.227.198.195 | BumbleBee botnet C2 server (confidence level: 75%) | |
file23.227.203.120 | BumbleBee botnet C2 server (confidence level: 75%) | |
file116.193.154.61 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file101.35.161.9 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file95.211.26.159 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file116.205.228.41 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file91.243.44.9 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.116.96.210 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.106.123.18 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file119.45.164.232 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file31.210.20.56 | Remcos botnet C2 server (confidence level: 75%) | |
file107.175.94.137 | Mirai botnet C2 server (confidence level: 75%) | |
file5.199.173.20 | IcedID botnet C2 server (confidence level: 75%) | |
file107.172.0.101 | Mirai botnet C2 server (confidence level: 75%) | |
file45.67.35.151 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file198.244.142.77 | NjRAT botnet C2 server (confidence level: 100%) | |
file8.142.44.127 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash1791 | Mirai botnet C2 server (confidence level: 75%) | |
hash45 | Mirai botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash22222 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash6667 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2096 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9cc89c892ff117b3b92f4a4f6f7b9d565fc31eb74bdce3150754660a9809bf33 | Mirai payload (confidence level: 100%) | |
hasha2418c7a868c57a8cfd1b070e19347877b56b4c572b5565c8334605d454f1a6f | Mirai payload (confidence level: 100%) | |
hashb5e605312267e9e4b2fc3947569d23b9aac690131dc8c1d571bc7549cfae1efd | Mirai payload (confidence level: 100%) | |
hash56f2883d96e8b478ccc8851a95327284f6b80dff07344de5f1365d45f7a53a34 | Mirai payload (confidence level: 100%) | |
hash3f069c378185dd3ca84fdbfe6bb959707e0f5c0c93f9a923687c5270cfaff563 | Mirai payload (confidence level: 100%) | |
hash76747fc801356f70063e643d6abced64e52421757eda7633b9b9ecaf26ea9eb3 | Mirai payload (confidence level: 100%) | |
hasha1d35c61b662c9bd99855d0e1d4bbe0405ac9cc8414eb8f3789757007d4ec4ea | Mirai payload (confidence level: 100%) | |
hashcaf9e910917fac385fa7ebb0f1b10b2578df10903f83418dc94393f7610605d2 | Mirai payload (confidence level: 100%) | |
hash44cccbe14f1f35b7982ae34069c33e1344c6effb8c084cfef7ccb6bd7b28ae71 | Mirai payload (confidence level: 100%) | |
hash33d8e19b8c060b9592543ded64ef2790d5bf3e11ef997f7acdcd64ea8506a6d1 | Mirai payload (confidence level: 100%) | |
hashc2486d6e712d7ea059f881cbe37c86534f8d7d25368d0ef1337bc1011c3dbfa7 | Mirai payload (confidence level: 100%) | |
hashd3246aa37087bb0d0018a1bf4dc33c3a55efda9396bf7927d747a5a0bb75ad3e | Mirai payload (confidence level: 100%) | |
hashae64cd40d636bdf1335f142522684d51e63f2e51c092709af84ecc6d9cc5c002 | Mirai payload (confidence level: 100%) | |
hash6187513e51b502e45932e3bbaea9fd5a06ffc2c9ef6c40a27621c017a7c8f14b | Remcos payload (confidence level: 100%) | |
hashcb4f0f68dacf3b0deddf62a86e6d8d4963ba941f6aadf2f874ece8ee3768ab54 | Formbook payload (confidence level: 100%) | |
hash99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548 | Formbook payload (confidence level: 100%) | |
hashfff7a3c8bd4187dc481b67336aa15c846409fc76deeebc6516e5e7c6b40210cc | Emotet payload (confidence level: 100%) | |
hashc2852625f0cecb5f260077caca416d2ea19f223cf9c3f5c50c926529070f3958 | Emotet payload (confidence level: 100%) | |
hashf1b82f72bd4fae05c9ec6a1e83959e3c7c0690640dcf125bdc6312b24e6e47ec | Emotet payload (confidence level: 100%) | |
hash4f06d7b11608c4990a46f91120d6e7a76e778111c6dd70a06c518b66c0cda123 | Emotet payload (confidence level: 100%) | |
hash1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3 | Conti payload (confidence level: 100%) | |
hash4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9 | Conti payload (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Loki Password Stealer (PWS) botnet C2 server (confidence level: 100%) | |
hash5555 | Mirai botnet C2 server (confidence level: 75%) | |
hash5888 | Remcos botnet C2 server (confidence level: 75%) | |
hash3434 | Nanocore RAT botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | IcedID Downloader botnet C2 server (confidence level: 75%) | |
hash4001 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash3000 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash22413 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7777 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hasha580994f4dc7ddcff680a36683ca44e9dcd6ba6c7d787626cbce16d18d46381f | STOP payload (confidence level: 50%) | |
hash11400 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1312 | Mirai botnet C2 server (confidence level: 75%) | |
hash21245 | Orcus RAT botnet C2 server (confidence level: 100%) | |
hash15995 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash7661 | Remcos botnet C2 server (confidence level: 75%) | |
hash50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee | Magniber payload (confidence level: 50%) | |
hash36063 | Mirai botnet C2 server (confidence level: 75%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash8866 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8081 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8890 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash19443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 75%) | |
hash9931 | Mirai botnet C2 server (confidence level: 75%) | |
hash443 | IcedID botnet C2 server (confidence level: 75%) | |
hash9375 | Mirai botnet C2 server (confidence level: 75%) | |
hash8965 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash5552 | NjRAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://cp.saol.com/cgi_bins/team/panel/gate.php | Pony botnet C2 (confidence level: 100%) | |
urlhttp://23.224.61.63/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.117.89.216/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1cs.ad5f82e879a9c5d6b5b442eb37e50551.cc:8080/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://2cs.ad5f82e879a9c5d6b5b442eb37e50551.cc:8080/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://cs.vcat.ml/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.222.248.86:22222/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.36.107.228/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://23.227.168.242:6667/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://8.210.154.177:2096/image/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://104.21.82.49:2096/image/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://flash-update.tk:2096/image/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://www.superingectorw.com/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://91.213.50.102/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://s496138.smrtp.ru/panel/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://dlokis.xyz/sz/ps/sim.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://sempersim.su/gf18/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://85.202.169.147/index.php | Azorult botnet C2 (confidence level: 100%) | |
urlhttp://pooaperadas.co.vu | Alien botnet C2 (confidence level: 80%) | |
urlhttp://varvurgecbizimlegel.co.vu | Alien botnet C2 (confidence level: 80%) | |
urlhttp://mynameisonderlandto666onderland.xyz/ | Alien botnet C2 (confidence level: 80%) | |
urlhttp://fudlasaplayeemmkehhd.co.vu | Alien botnet C2 (confidence level: 80%) | |
urlhttp://49.12.247.65 | Alien botnet C2 (confidence level: 80%) | |
urlhttp://latsgetd0xx4covu.co.vu | Alien botnet C2 (confidence level: 80%) | |
urlhttp://alisverissayfamda.shop | Alien botnet C2 (confidence level: 80%) | |
urlhttp://hekreskldlldolmaz.co.vu | Alien botnet C2 (confidence level: 80%) | |
urlhttp://hafsaoneill68.top | Hydra botnet C2 (confidence level: 80%) | |
urlhttp://sameerfreeman537.top | Hydra botnet C2 (confidence level: 80%) | |
urlhttp://str1str2.xyz/6.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://str1str2.xyz/1.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://str1str2.xyz/2.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://str1str2.xyz/3.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://str1str2.xyz/4.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://str1str2.xyz/5.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://str1str2.xyz/7.jpg | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://119.91.74.118/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.33.241.37/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://107.150.126.47/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://198.46.199.168/550/vbc.exe | Formbook payload delivery URL (confidence level: 100%) | |
urlhttps://nowancenorly.ddns.net | NetWire RC botnet C2 (confidence level: 100%) | |
urlhttp://185.233.38.221/updateflowerdatalifewp.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://198.187.30.47/p.php?id=614956569061910 | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttp://113.161.58.249:53864/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://8.141.159.248:4001/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.93.235.240:9898/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://dodsafespace.org/pickup | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://104.168.153.6/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.141.153.76:3000/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://eclu.pl/api/fetch | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://4uklew74b1.execute-api.us-east-1.amazonaws.com/api/fetch | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://139.155.25.252/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://42.193.20.129/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.97.38.197:22413/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://42.193.105.60:7777/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://cdn-102.bayfiles.com/z68fx4eay1/c2caab48-1652043448/jo.jpg | Formbook payload delivery URL (confidence level: 100%) | |
urlhttp://45.133.1.41/ony3/inc/b8970c3d73430d.php | Agent Tesla botnet C2 (confidence level: 100%) | |
urlhttp://45.133.1.41/max/inc/8a37641a98efbd.php | Agent Tesla botnet C2 (confidence level: 100%) | |
urlhttp://78.94.208.254/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://194.31.98.183/index.php | Azorult botnet C2 (confidence level: 100%) | |
urlhttp://sempersim.su/gf16/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttp://sempersim.su/gf22/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttp://138.201.149.43/1kaufvertrag682/ | Formbook payload delivery URL (confidence level: 100%) | |
urlhttp://138.201.149.43/1kaufvertrag682/as.ps1 | Formbook payload delivery URL (confidence level: 100%) | |
urlhttp://138.201.149.43/1kaufvertrag682/arkaiserin.vbs | Formbook payload delivery URL (confidence level: 100%) | |
urlhttp://198.23.251.5/mee.exe | Agent Tesla payload delivery URL (confidence level: 100%) | |
urlhttp://sempersim.su/gf14/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://sempersim.su/fo/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://3.122.113.204/providerupdateflowergeneratortrack.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://ipfs.io/ipfs/qmqbpupxy3nzjk2yvspsujvhutajafrqpnjc58racujfrh?filename=inv-scl0093-05-22pdf.exe | Agent Tesla payload delivery URL (confidence level: 100%) | |
urlhttps://hawman.cc.dvrlists.com | Remcos botnet C2 (confidence level: 100%) | |
urlhttps://freshdirect.dvrlists.com | Remcos botnet C2 (confidence level: 100%) | |
urlhttp://116.193.154.61:8866/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://iqiy1.tk/api/3 | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://95.211.26.159/search | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://116.205.228.41:8081/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://91.243.44.9:8890/ucd | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://1.116.96.210:19443/api/3 | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://23.106.123.18/be | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://119.45.164.232/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-4u30t4nh-1305010017.sh.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://84.38.133.116/clouddoc/vbc.exe | XLoader payload delivery URL (confidence level: 100%) | |
urlhttps://ny-city-mall.com/search.php | SmokeLoader botnet C2 (confidence level: 100%) | |
urlhttps://fresh-cars.net/search.php | SmokeLoader botnet C2 (confidence level: 100%) | |
urlhttp://51.91.35.167/order/winlogon.exe | XLoader payload delivery URL (confidence level: 100%) | |
urlhttp://198.12.81.20/book/book.exe | XLoader payload delivery URL (confidence level: 100%) | |
urlhttp://198.46.199.168/500/vbc.exe | XLoader payload delivery URL (confidence level: 100%) | |
urlhttp://31.172.66.22/datalifepublic.php | DCRat botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainfasebrewer.site | IcedID botnet C2 domain (confidence level: 100%) | |
domaincarrowtwo.com | IcedID botnet C2 domain (confidence level: 100%) |
Threat ID: 682c7abce3e6de8ceb751c94
Added to database: 5/20/2025, 12:51:08 PM
Last enriched: 6/19/2025, 1:04:28 PM
Last updated: 8/12/2025, 7:17:25 AM
Views: 17
Related Threats
ThreatFox IOCs for 2025-08-13
MediumEfimer Trojan Steals Crypto, Hacks WordPress Sites via Torrents and Phishing
MediumSilent Watcher: Dissecting Cmimai Stealer's VBS Payload
MediumCastleLoader Analysis
MediumThe Dark Side of Parental Control Apps
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.