ThreatFox IOCs for 2022-10-09
ThreatFox IOCs for 2022-10-09
AI Analysis
Technical Summary
The provided threat information pertains to a set of Indicators of Compromise (IOCs) published by ThreatFox on October 9, 2022, categorized under malware with a focus on OSINT (Open Source Intelligence). The data appears to be a collection of threat intelligence indicators rather than a specific malware variant or exploit targeting a particular software product or version. The threat is tagged as 'type:osint' and 'tlp:white', indicating that the information is intended for wide distribution and transparency. There are no affected versions or specific products identified, and no known exploits in the wild have been reported. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination of these IOCs within the cybersecurity community. The absence of CWEs, patch links, or detailed technical indicators implies that this is primarily an intelligence-sharing artifact rather than an active, exploitable vulnerability or malware campaign. The lack of indicators and specific technical details limits the ability to perform a deep technical analysis, but the presence of these IOCs can aid organizations in detecting potential malicious activity if correlated with internal logs and network traffic. Overall, this threat intelligence serves as a resource for situational awareness rather than an immediate operational threat.
Potential Impact
Given that this entry represents a set of OSINT-based IOCs without direct evidence of active exploitation or targeting of specific software, the immediate impact on European organizations is likely limited. However, the dissemination of these IOCs can enhance detection capabilities against malware or threat actors that may leverage similar tactics, techniques, and procedures (TTPs). European organizations that integrate these IOCs into their security monitoring tools may improve their ability to identify and respond to emerging threats. The lack of known exploits and absence of affected software versions reduce the risk of direct compromise. Nonetheless, failure to utilize such intelligence could result in missed detection opportunities, potentially allowing malware infections or intrusions to persist undetected. The impact is therefore more indirect, enhancing defensive postures rather than indicating an imminent threat. Critical infrastructure, government agencies, and sectors with high exposure to cyber threats in Europe could benefit from incorporating these IOCs into their threat hunting and incident response workflows.
Mitigation Recommendations
1. Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems, Endpoint Detection and Response (EDR) platforms, and network monitoring tools to enable automated detection and alerting. 2. Conduct regular threat hunting exercises using these IOCs to proactively identify potential compromises or suspicious activities within the network. 3. Maintain updated threat intelligence feeds and ensure that security teams are trained to interpret and act upon OSINT-derived indicators. 4. Correlate these IOCs with internal logs, firewall data, and intrusion detection system alerts to validate potential threats and reduce false positives. 5. Establish a process for continuous ingestion and validation of threat intelligence to adapt to evolving threat landscapes. 6. Since no patches or specific vulnerabilities are associated, focus on strengthening general security hygiene, including network segmentation, least privilege access, and timely software updates to reduce attack surfaces. 7. Collaborate with national and European cybersecurity information sharing organizations (e.g., ENISA, CERT-EU) to contextualize these IOCs within broader threat trends.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- url: http://192.210.196.73/ptj
- url: https://42.194.199.231/pixel.gif
- url: https://192.210.196.73:4430/g.pixel
- url: https://42.194.199.231:7443/push
- url: https://120.48.122.130/activity
- url: http://119.3.177.228/fwlink
- url: http://api-connect-2b8c1bv.securesystem-dnsproviders.com/owa/cuokjbbxfzv2ri1uqveq
- file: 31.7.62.194
- hash: 80
- hash: 2b6abdfda133bc13eac023a3d9ac67d5
- url: http://45.89.55.178/
- url: http://85.31.46.94/purelogs/fre.php
- url: http://139.224.189.177:20073/cx
- url: http://89.208.106.37/ptj
- file: 89.208.106.37
- hash: 80
- url: https://111.90.146.114:8443/j.ad
- url: http://124.70.67.154/fwlink
- file: 124.70.67.154
- hash: 80
- url: http://www.axiommortgagebankers.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- url: http://149.28.76.119/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- file: 149.28.76.119
- hash: 80
- url: https://124.221.246.224:4430/push
- file: 66.63.188.151
- hash: 80
- url: http://109.237.219.236:8443/dpixel
- url: http://128.199.225.53/fwlink
- file: 128.199.225.53
- hash: 80
- url: http://82.157.145.105:4445/dpixel
- url: http://121.5.72.218/pixel
- url: http://154.26.130.12/ca
- file: 154.26.130.12
- hash: 80
- url: https://157.245.254.149/dot.gif
- file: 157.245.254.149
- hash: 443
- file: 138.68.69.19
- hash: 443
- url: http://149.28.128.31:8866/dpixel
- url: http://120.53.245.230/pixel
- url: http://47.243.6.203/dot.gif
- file: 69.49.244.222
- hash: 80
- url: http://101.43.249.51:81/pixel
- file: 45.138.16.38
- hash: 29244
- hash: 100881ee6d40225ea7efe89cd109ae60
- file: 91.109.184.18
- hash: 7707
- file: 164.92.254.170
- hash: 666
- url: http://92.63.106.16/providerrequestpollmulti.php
- file: 45.14.13.20
- hash: 4499
- file: 45.82.179.76
- hash: 4499
- url: http://185.51.247.56/
- file: 80.76.51.189
- hash: 420
- domain: stokpro.buzz
- file: 23.147.226.118
- hash: 123
- file: 180.76.58.134
- hash: 1234
- file: 51.79.146.211
- hash: 80
- url: http://85.31.46.94/blessedlogs/fre.php
- url: http://ble3ds2.shop/pl341/index.php
- url: http://urvesh.net63.net/pony/panel/gate.php
- file: 141.255.144.116
- hash: 1177
- file: 194.87.71.159
- hash: 32632
- file: 188.241.240.136
- hash: 80
- file: 124.223.96.251
- hash: 80
- url: https://update.falsh.cf:2096/admin.php
- url: http://107.39.135.64:8001/cm
- file: 106.52.130.164
- hash: 8001
- url: http://101.43.249.34:8081/ptj
- url: https://45.135.135.246:4433/jquery-3.3.1.min.js
- url: https://47.243.203.249/g.pixel
- url: http://43.154.57.146:8001/pixel.gif
- url: http://service-5b9ph069-1302650299.sh.apigw.tencentcs.com/ie9compatviewlist.xml
- url: http://106.52.130.164:8000/load
- url: https://zadiguser.com/release
- file: 64.44.135.106
- hash: 443
- url: http://110.43.34.176:8080/activity
- url: http://47.108.137.190/wp06/wp-includes/po.php
- url: http://182.61.6.63:3333/ptj
- url: https://vendriol.com/activity
- file: 46.175.148.53
- hash: 443
- url: https://tetafup.com/rw.css
- file: 160.20.147.57
- hash: 443
- url: https://www.microsofer.top/image/
- url: https://104.21.54.192/image/
- url: https://172.67.141.87/image/
- url: https://microsofer.top/image/
- url: http://222.140.177.178:56693/mozi.m
- url: http://8.210.118.18:801/dot.gif
- url: https://47.240.102.1:6781/updates.rss
- url: https://175.178.219.118:6781/visit.js
- url: http://121.5.72.218/include/template/isx.php
- file: 121.5.72.218
- hash: 80
- url: https://171.22.30.82:10087/g.pixel
- url: http://service-66f7n2lg-1304697786.gz.apigw.tencentcs.com/api/x
- url: https://121.4.88.169/visit.js
- url: http://198.98.58.41:8880/updates.rss
- url: http://192.210.196.73:9999/ie9compatviewlist.xml
- url: https://152.89.196.33/j.ad
- url: http://120.78.155.42/en_us/all.js
- file: 173.225.115.99
- hash: 7702
- url: https://42.194.199.231:8443/visit.js
- url: http://120.48.122.130/g.pixel
- url: http://152.89.196.33/pixel
- file: 46.175.148.53
- hash: 80
- file: 85.239.62.233
- hash: 80
- file: 185.225.19.47
- hash: 80
- file: 185.25.51.36
- hash: 80
- url: http://t.me/alertbabka7743
- url: http://ioc.exchange/@zebra54
- url: http://23.88.115.141/1495
- url: http://5.161.120.43/1685
- file: 45.142.214.245
- hash: 40156
- url: http://116.202.5.121/1587
- file: 141.255.146.249
- hash: 1182
- url: http://23.88.115.141/1707
- url: http://23.88.115.141/1014
- url: http://116.202.5.121/1142
- url: http://23.88.115.141/1685
- file: 141.255.146.249
- hash: 1188
- domain: dimascu.duckdns.org
- domain: cdt.3utilities.com
- domain: chromedata.accesscam.org
- file: 5.255.102.24
- hash: 80
- hash: 876eeb5d4435bf1ffd84e21c625f013d64c754dd03327df047b6ed4fc6bc3894
- hash: c81f353a8448a9d4bbbb2aa5e3dce872
- hash: d2dcc5690cdeadc473ba4f6753eb63fc36c91f57f15d390cf8f4ab41871ec654
- hash: 4acb3ceff6e3bbc636301a5116fc18df
- hash: b92b6143f625f3a5dbd617fb471d152fa19aa16faae24a58859fdc0ad5c502bf
- hash: 342d9ce78a60e455a57662da1a9f4c69
- hash: 31391445037f9769222143a8f5ae9f88703510addf13fd029b0d5d016d40b16f
- hash: 2c3daa88c0f3e5332bb7ffc7f52b3a39
- domain: mmduskm4.tk
- url: https://mmduskm4.tk/usk
- url: https://mmduskm4.tk/usk/rat.php
- hash: 959ceca4c10333e52586daf29fe071ed
- hash: c1247cb8f7edc03b2415d6e6409de22d687a6e58a49b6e8bfaf5f6e8b00773a3
- hash: 28c6e84587d6398d3161945c0ad7a51a
- domain: mmduskm4.cf
- url: https://mmduskm4.cf/usk
- url: https://mmduskm4.cf/usk/rat.php
- file: 45.11.19.86
- hash: 443
- url: http://45.15.157.1/_httpapicentral.php
- hash: 290cfbb66adbf41238bb837955c15b6a62bbf4811bd81f831195e95513b91f09
- hash: 4bd6edfa8d6864f053f671188c4cc5aa
- url: http://104.17.123.55/ga.js
- file: 162.55.208.228
- hash: 80
- url: http://116.30.135.206:40209/mozi.m
- url: http://46.3.199.120/ptj
- file: 46.3.199.120
- hash: 80
- url: https://179.60.146.53:8888/magnify.json
- url: http://174.137.49.238:8088/g.pixel
- file: 46.175.148.74
- hash: 443
- file: 45.140.19.14
- hash: 81
- url: http://43.138.75.169:8082/uri/
- file: 192.169.69.25
- hash: 5873
- url: http://184.168.122.214:8089/g.pixel
- url: http://45.32.56.222:4467/dpixel
- file: 3.140.223.7
- hash: 17162
- url: http://43.142.136.237:12345/pixel
- file: 3.141.177.1
- hash: 17162
- url: http://192.161.179.130:8088/push
- url: https://179.60.146.53:4444/magnify.json
- file: 3.141.142.211
- hash: 17162
- url: http://164.155.126.7/load
- file: 164.155.126.7
- hash: 80
- file: 18.189.106.45
- hash: 17162
- url: http://43.138.188.65:9999/ie9compatviewlist.xml
- url: http://8.210.7.106:8901/load
- file: 79.137.192.32
- hash: 43204
- file: 20.63.59.253
- hash: 80
- url: http://13.41.186.2/ptj
- file: 18.130.114.9
- hash: 80
- file: 95.217.30.31
- hash: 37397
- file: 209.25.141.180
- hash: 60302
- url: http://167.235.142.21/api/files/client/s21
- url: http://116.203.182.209/1636
- file: 45.148.121.63
- hash: 44944
- hash: c6ce203ce913717a67c75b2d0a0492161beab9c80cf44590e4c5d567cbc90efc
- hash: 83ea5b1ca766a9ca578654e66b6061ed
- hash: 0b01e7e4e94909ffc4362c0d2a66a250434f1bc6e8e587682cbdeb5923c725ea
- hash: 9cf03f6f19ecd925f07dc7a72e665587
- domain: adlirans-usiran.ml
- url: https://adlirans-usiran.ml/usk
- url: https://adlirans-usiran.ml/usk/rat.php
- file: 188.119.112.156
- hash: 24790
ThreatFox IOCs for 2022-10-09
Description
ThreatFox IOCs for 2022-10-09
AI-Powered Analysis
Technical Analysis
The provided threat information pertains to a set of Indicators of Compromise (IOCs) published by ThreatFox on October 9, 2022, categorized under malware with a focus on OSINT (Open Source Intelligence). The data appears to be a collection of threat intelligence indicators rather than a specific malware variant or exploit targeting a particular software product or version. The threat is tagged as 'type:osint' and 'tlp:white', indicating that the information is intended for wide distribution and transparency. There are no affected versions or specific products identified, and no known exploits in the wild have been reported. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination of these IOCs within the cybersecurity community. The absence of CWEs, patch links, or detailed technical indicators implies that this is primarily an intelligence-sharing artifact rather than an active, exploitable vulnerability or malware campaign. The lack of indicators and specific technical details limits the ability to perform a deep technical analysis, but the presence of these IOCs can aid organizations in detecting potential malicious activity if correlated with internal logs and network traffic. Overall, this threat intelligence serves as a resource for situational awareness rather than an immediate operational threat.
Potential Impact
Given that this entry represents a set of OSINT-based IOCs without direct evidence of active exploitation or targeting of specific software, the immediate impact on European organizations is likely limited. However, the dissemination of these IOCs can enhance detection capabilities against malware or threat actors that may leverage similar tactics, techniques, and procedures (TTPs). European organizations that integrate these IOCs into their security monitoring tools may improve their ability to identify and respond to emerging threats. The lack of known exploits and absence of affected software versions reduce the risk of direct compromise. Nonetheless, failure to utilize such intelligence could result in missed detection opportunities, potentially allowing malware infections or intrusions to persist undetected. The impact is therefore more indirect, enhancing defensive postures rather than indicating an imminent threat. Critical infrastructure, government agencies, and sectors with high exposure to cyber threats in Europe could benefit from incorporating these IOCs into their threat hunting and incident response workflows.
Mitigation Recommendations
1. Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems, Endpoint Detection and Response (EDR) platforms, and network monitoring tools to enable automated detection and alerting. 2. Conduct regular threat hunting exercises using these IOCs to proactively identify potential compromises or suspicious activities within the network. 3. Maintain updated threat intelligence feeds and ensure that security teams are trained to interpret and act upon OSINT-derived indicators. 4. Correlate these IOCs with internal logs, firewall data, and intrusion detection system alerts to validate potential threats and reduce false positives. 5. Establish a process for continuous ingestion and validation of threat intelligence to adapt to evolving threat landscapes. 6. Since no patches or specific vulnerabilities are associated, focus on strengthening general security hygiene, including network segmentation, least privilege access, and timely software updates to reduce attack surfaces. 7. Collaborate with national and European cybersecurity information sharing organizations (e.g., ENISA, CERT-EU) to contextualize these IOCs within broader threat trends.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 0eed2447-ae60-458a-ab88-af49bbbe6c12
- Original Timestamp
- 1665360184
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://192.210.196.73/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://42.194.199.231/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://192.210.196.73:4430/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://42.194.199.231:7443/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://120.48.122.130/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://119.3.177.228/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://api-connect-2b8c1bv.securesystem-dnsproviders.com/owa/cuokjbbxfzv2ri1uqveq | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.89.55.178/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://85.31.46.94/purelogs/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://139.224.189.177:20073/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://89.208.106.37/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://111.90.146.114:8443/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.70.67.154/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://www.axiommortgagebankers.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://149.28.76.119/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.221.246.224:4430/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://109.237.219.236:8443/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://128.199.225.53/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://82.157.145.105:4445/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://121.5.72.218/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://154.26.130.12/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://157.245.254.149/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://149.28.128.31:8866/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://120.53.245.230/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.243.6.203/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.249.51:81/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://92.63.106.16/providerrequestpollmulti.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://185.51.247.56/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://85.31.46.94/blessedlogs/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://ble3ds2.shop/pl341/index.php | Azorult botnet C2 (confidence level: 100%) | |
urlhttp://urvesh.net63.net/pony/panel/gate.php | Pony botnet C2 (confidence level: 100%) | |
urlhttps://update.falsh.cf:2096/admin.php | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://107.39.135.64:8001/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.249.34:8081/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://45.135.135.246:4433/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.243.203.249/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.154.57.146:8001/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-5b9ph069-1302650299.sh.apigw.tencentcs.com/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://106.52.130.164:8000/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://zadiguser.com/release | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://110.43.34.176:8080/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.108.137.190/wp06/wp-includes/po.php | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://182.61.6.63:3333/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://vendriol.com/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://tetafup.com/rw.css | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://www.microsofer.top/image/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://104.21.54.192/image/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://172.67.141.87/image/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://microsofer.top/image/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://222.140.177.178:56693/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://8.210.118.18:801/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.240.102.1:6781/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://175.178.219.118:6781/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://121.5.72.218/include/template/isx.php | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://171.22.30.82:10087/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-66f7n2lg-1304697786.gz.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://121.4.88.169/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://198.98.58.41:8880/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://192.210.196.73:9999/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://152.89.196.33/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://120.78.155.42/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://42.194.199.231:8443/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://120.48.122.130/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://152.89.196.33/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://t.me/alertbabka7743 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://ioc.exchange/@zebra54 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://23.88.115.141/1495 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://5.161.120.43/1685 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.5.121/1587 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://23.88.115.141/1707 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://23.88.115.141/1014 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.5.121/1142 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://23.88.115.141/1685 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://mmduskm4.tk/usk | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://mmduskm4.tk/usk/rat.php | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://mmduskm4.cf/usk | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://mmduskm4.cf/usk/rat.php | IRATA botnet C2 (confidence level: 100%) | |
urlhttp://45.15.157.1/_httpapicentral.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://104.17.123.55/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://116.30.135.206:40209/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://46.3.199.120/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://179.60.146.53:8888/magnify.json | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://174.137.49.238:8088/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.75.169:8082/uri/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://184.168.122.214:8089/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.32.56.222:4467/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.142.136.237:12345/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://192.161.179.130:8088/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://179.60.146.53:4444/magnify.json | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://164.155.126.7/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.188.65:9999/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.210.7.106:8901/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://13.41.186.2/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://167.235.142.21/api/files/client/s21 | Vidar payload delivery URL (confidence level: 100%) | |
urlhttp://116.203.182.209/1636 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://adlirans-usiran.ml/usk | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://adlirans-usiran.ml/usk/rat.php | IRATA botnet C2 (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file31.7.62.194 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file89.208.106.37 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.70.67.154 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file149.28.76.119 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file66.63.188.151 | PhotoLoader botnet C2 server (confidence level: 75%) | |
file128.199.225.53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.26.130.12 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file157.245.254.149 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file138.68.69.19 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file69.49.244.222 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.138.16.38 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file91.109.184.18 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file164.92.254.170 | Bashlite botnet C2 server (confidence level: 75%) | |
file45.14.13.20 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file45.82.179.76 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file80.76.51.189 | Bashlite botnet C2 server (confidence level: 75%) | |
file23.147.226.118 | Mirai botnet C2 server (confidence level: 75%) | |
file180.76.58.134 | Meterpreter botnet C2 server (confidence level: 100%) | |
file51.79.146.211 | Mirai botnet C2 server (confidence level: 75%) | |
file141.255.144.116 | NjRAT botnet C2 server (confidence level: 100%) | |
file194.87.71.159 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file188.241.240.136 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.223.96.251 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file106.52.130.164 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file64.44.135.106 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file46.175.148.53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file160.20.147.57 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file121.5.72.218 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file173.225.115.99 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file46.175.148.53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file85.239.62.233 | Vidar botnet C2 server (confidence level: 100%) | |
file185.225.19.47 | Vidar botnet C2 server (confidence level: 100%) | |
file185.25.51.36 | Vidar botnet C2 server (confidence level: 100%) | |
file45.142.214.245 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file141.255.146.249 | NjRAT botnet C2 server (confidence level: 100%) | |
file141.255.146.249 | NjRAT botnet C2 server (confidence level: 100%) | |
file5.255.102.24 | PhotoLoader botnet C2 server (confidence level: 75%) | |
file45.11.19.86 | BumbleBee botnet C2 server (confidence level: 75%) | |
file162.55.208.228 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file46.3.199.120 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file46.175.148.74 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.140.19.14 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file192.169.69.25 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file3.140.223.7 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.141.177.1 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.141.142.211 | NjRAT botnet C2 server (confidence level: 100%) | |
file164.155.126.7 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file18.189.106.45 | NjRAT botnet C2 server (confidence level: 100%) | |
file79.137.192.32 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file20.63.59.253 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file18.130.114.9 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file95.217.30.31 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file209.25.141.180 | Orcus RAT botnet C2 server (confidence level: 100%) | |
file45.148.121.63 | Meterpreter botnet C2 server (confidence level: 100%) | |
file188.119.112.156 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2b6abdfda133bc13eac023a3d9ac67d5 | Agent Tesla payload (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | PhotoLoader botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash29244 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash100881ee6d40225ea7efe89cd109ae60 | STOP payload (confidence level: 50%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash666 | Bashlite botnet C2 server (confidence level: 75%) | |
hash4499 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash4499 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash420 | Bashlite botnet C2 server (confidence level: 75%) | |
hash123 | Mirai botnet C2 server (confidence level: 75%) | |
hash1234 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash80 | Mirai botnet C2 server (confidence level: 75%) | |
hash1177 | NjRAT botnet C2 server (confidence level: 100%) | |
hash32632 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8001 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7702 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash40156 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash1182 | NjRAT botnet C2 server (confidence level: 100%) | |
hash1188 | NjRAT botnet C2 server (confidence level: 100%) | |
hash80 | PhotoLoader botnet C2 server (confidence level: 75%) | |
hash876eeb5d4435bf1ffd84e21c625f013d64c754dd03327df047b6ed4fc6bc3894 | IRATA payload (confidence level: 100%) | |
hashc81f353a8448a9d4bbbb2aa5e3dce872 | IRATA payload (confidence level: 100%) | |
hashd2dcc5690cdeadc473ba4f6753eb63fc36c91f57f15d390cf8f4ab41871ec654 | IRATA payload (confidence level: 100%) | |
hash4acb3ceff6e3bbc636301a5116fc18df | IRATA payload (confidence level: 100%) | |
hashb92b6143f625f3a5dbd617fb471d152fa19aa16faae24a58859fdc0ad5c502bf | IRATA payload (confidence level: 100%) | |
hash342d9ce78a60e455a57662da1a9f4c69 | IRATA payload (confidence level: 100%) | |
hash31391445037f9769222143a8f5ae9f88703510addf13fd029b0d5d016d40b16f | IRATA payload (confidence level: 100%) | |
hash2c3daa88c0f3e5332bb7ffc7f52b3a39 | IRATA payload (confidence level: 100%) | |
hash959ceca4c10333e52586daf29fe071ed | WannaCryptor payload (confidence level: 50%) | |
hashc1247cb8f7edc03b2415d6e6409de22d687a6e58a49b6e8bfaf5f6e8b00773a3 | IRATA payload (confidence level: 100%) | |
hash28c6e84587d6398d3161945c0ad7a51a | IRATA payload (confidence level: 100%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash290cfbb66adbf41238bb837955c15b6a62bbf4811bd81f831195e95513b91f09 | IRATA payload (confidence level: 100%) | |
hash4bd6edfa8d6864f053f671188c4cc5aa | IRATA payload (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash81 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash5873 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash17162 | NjRAT botnet C2 server (confidence level: 100%) | |
hash17162 | NjRAT botnet C2 server (confidence level: 100%) | |
hash17162 | NjRAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash17162 | NjRAT botnet C2 server (confidence level: 100%) | |
hash43204 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash37397 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash60302 | Orcus RAT botnet C2 server (confidence level: 100%) | |
hash44944 | Meterpreter botnet C2 server (confidence level: 100%) | |
hashc6ce203ce913717a67c75b2d0a0492161beab9c80cf44590e4c5d567cbc90efc | IRATA payload (confidence level: 100%) | |
hash83ea5b1ca766a9ca578654e66b6061ed | IRATA payload (confidence level: 100%) | |
hash0b01e7e4e94909ffc4362c0d2a66a250434f1bc6e8e587682cbdeb5923c725ea | IRATA payload (confidence level: 100%) | |
hash9cf03f6f19ecd925f07dc7a72e665587 | IRATA payload (confidence level: 100%) | |
hash24790 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainstokpro.buzz | Unknown malware botnet C2 domain (confidence level: 100%) | |
domaindimascu.duckdns.org | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domaincdt.3utilities.com | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainchromedata.accesscam.org | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainmmduskm4.tk | IRATA botnet C2 domain (confidence level: 100%) | |
domainmmduskm4.cf | IRATA botnet C2 domain (confidence level: 100%) | |
domainadlirans-usiran.ml | IRATA botnet C2 domain (confidence level: 100%) |
Threat ID: 682b7ba5d3ddd8cef2e8819e
Added to database: 5/19/2025, 6:42:45 PM
Last enriched: 6/18/2025, 7:03:30 PM
Last updated: 8/14/2025, 5:46:43 PM
Views: 13
Related Threats
Scammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
Medium'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumKawabunga, Dude, You've Been Ransomed!
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.