ThreatFox IOCs for 2022-11-29
Severity: mediumType: malware
ThreatFox IOCs for 2022-11-29
AI Analysis
Technical Summary
The provided threat intelligence pertains to a collection of Indicators of Compromise (IOCs) published on November 29, 2022, by ThreatFox, a platform specializing in sharing threat intelligence data. The threat is categorized as malware-related and is associated with OSINT (Open Source Intelligence) data. However, the information lacks specific technical details such as affected software versions, exploit mechanisms, or concrete malware signatures. The threat level is indicated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting moderate distribution but limited analytical depth. No known exploits in the wild have been reported, and there are no associated Common Weakness Enumerations (CWEs) or patch links. The absence of indicators such as IP addresses, domains, or file hashes further limits the ability to perform targeted detection or response. Overall, this appears to be a medium-severity malware threat identified through OSINT channels, with limited actionable technical details available at this time.
Potential Impact
Given the lack of detailed technical information and the absence of known active exploits, the immediate impact on European organizations is likely limited. However, the presence of malware-related IOCs in OSINT repositories suggests potential reconnaissance or preparatory activities by threat actors. If these IOCs are integrated into detection systems, organizations could enhance their ability to identify early signs of compromise. The medium severity rating implies a moderate risk to confidentiality, integrity, or availability if exploited. European organizations, especially those relying on threat intelligence feeds for proactive defense, may benefit from monitoring these IOCs to prevent potential malware infections. The impact could escalate if these IOCs are linked to emerging malware campaigns targeting critical infrastructure, financial institutions, or government entities within Europe.
Mitigation Recommendations
1. Integrate ThreatFox IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection capabilities. 2. Conduct regular threat hunting exercises using the provided IOCs to identify any signs of compromise early. 3. Maintain updated malware definitions and ensure endpoint protection platforms are current to detect variants related to these IOCs. 4. Collaborate with national Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs) to receive timely updates on any developments related to these IOCs. 5. Implement network segmentation and strict access controls to limit potential malware spread if an infection occurs. 6. Educate security teams on the importance of OSINT-derived threat intelligence and encourage validation of such data before operational use. 7. Since no patches are available, focus on detection and containment strategies rather than remediation through software updates.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- url: http://cs.qaxc2.xyz/cx
- domain: cs.qaxc2.xyz
- file: 49.234.19.234
- hash: 80
- url: https://180.76.166.103/lsnmkxt/
- file: 180.76.166.103
- hash: 443
- file: 185.246.221.36
- hash: 54794
- url: https://43.142.57.184/g.pixel
- url: http://45.130.146.172/ga.js
- file: 45.130.146.172
- hash: 80
- url: http://1.117.214.208:999/en_us/all.js
- url: https://43.131.249.120:4433/visit.js
- url: https://update.northcentralus.cloudapp.azure.com/pixel
- domain: update.northcentralus.cloudapp.azure.com
- file: 23.96.244.103
- hash: 443
- domain: l41.sjys6.top
- domain: iodhqowihdq2235df.ddns.net
- domain: 5o23hioifhiahdwaji.ddns.net
- url: http://193.149.185.227/
- url: http://157.245.36.27/~dokterpol/?page=081599145
- file: 18.197.239.109
- hash: 12392
- file: 37.0.14.198
- hash: 4424
- file: 89.44.9.153
- hash: 443
- file: 108.62.118.70
- hash: 443
- file: 104.219.233.41
- hash: 443
- file: 142.11.199.235
- hash: 443
- file: 45.195.53.11
- hash: 28981
- file: 185.246.221.12
- hash: 4648
- url: http://45.139.105.174:1604/is-ready
- url: http://sempersim.su/gm15/fre.php
- domain: kudcfe312.top
- domain: kudgpu14.top
- domain: kudmfa212.top
- domain: kudokq112.top
- domain: kudrot712.top
- domain: mortud03.top
- domain: pabryd01.top
- domain: secnti08.top
- domain: sectow07.top
- domain: secuog10.top
- domain: secwjv03.top
- domain: tamari03.top
- domain: tamdur05.top
- domain: tamepo01.top
- domain: tamera07.top
- domain: tamgav04.top
- domain: tamlar10.top
- domain: tamoes08.top
- domain: tamori02.top
- domain: tyslia13.top
- domain: tystne110.top
- domain: yawsim75.top
- url: http://157.245.36.27/~dokterpol/?page=2223396
- url: http://61839.clmonth.nyashteam.ru/nyashsupport.php
- url: http://208.67.105.161/gk2/five/fre.php
- file: 84.21.172.33
- hash: 5763
- file: 107.175.50.207
- hash: 20327
- file: 45.8.145.230
- hash: 80
- file: 88.198.94.71
- hash: 80
- file: 116.202.6.206
- hash: 80
- url: https://t.me/asifrazatg
- url: https://steamcommunity.com/profiles/76561199439929669
- url: http://45.8.145.230/1696
- url: http://49.12.113.223/1679
- url: http://95.217.29.31/1707
- url: http://95.217.151.129/1760
- url: http://88.198.94.71/1686
- url: http://88.198.94.71/1711
- url: http://185.138.164.149/1343
- url: http://95.217.31.208/1779
- url: http://49.12.113.223/1744
- url: http://95.217.31.208/1707
- url: http://49.12.113.223/1495
- url: http://185.234.247.238/1343
- url: http://45.8.145.230/
- url: http://116.202.6.206/
- url: http://88.198.94.71/
- file: 116.202.5.223
- hash: 28786
- url: http://45.15.156.38/
- domain: guaracheza.pics
- domain: stayersa.art
- file: 45.15.156.60
- hash: 39908
- url: http://43.142.193.86/jquery-3.3.1.min.js
- url: https://tasty-reading-gw.aws-euw1.cloud-ara.tyk.io/fashion/openbsd/48hodho9jl
- url: http://www.leatheus.tk:5433/fashion/openbsd/48hodho9jl
- domain: www.leatheus.tk
- file: 185.200.116.131
- hash: 52239
- file: 185.106.92.214
- hash: 2510
- url: http://77.73.133.72/hfk3vk9/index.php
- url: http://47.92.64.196:5555/pixel.gif
- file: 77.73.131.6
- hash: 443
- url: http://42.193.112.134/maps/overlaybfpr
- file: 42.193.112.134
- hash: 80
- url: http://101.43.108.171:8080/pixel
- url: http://43.136.169.209:479/duplex.gif
- url: http://47.93.212.101:9999/fwlink
- url: http://103.139.44.52/office365/csrss.exe
- url: https://43.156.15.101:9443/www/handle/doc
- url: http://wakawaka1.b0.aicdn.com/hahaha/yomobing
- domain: wakawaka1.b0.aicdn.com
- url: https://cs.imalloc.cn/media.html
- domain: cs.imalloc.cn
- file: 101.35.143.108
- hash: 443
- url: http://110.41.131.105:9999/ie9compatviewlist.xml
- url: http://androidupdate1204.top
- url: http://116.202.6.206/1711
- file: 80.78.240.77
- hash: 80
- file: 195.140.215.228
- hash: 80
- file: 212.192.31.207
- hash: 3346
- url: http://195.140.215.228/
- url: http://80.78.240.77/
- domain: installationupgrade6.com
- file: 27.147.169.101
- hash: 5555
- file: 20.171.84.250
- hash: 2288
- url: http://n58r7he6mxamd2u.gq
- file: 113.52.135.33
- hash: 7080
- file: 138.197.140.163
- hash: 8080
- file: 144.76.62.10
- hash: 8080
- file: 173.249.157.58
- hash: 8080
- file: 176.58.93.123
- hash: 80
- file: 178.249.187.150
- hash: 7080
- file: 181.113.229.139
- hash: 990
- file: 181.47.235.26
- hash: 993
- file: 186.10.16.244
- hash: 53
- file: 190.117.206.153
- hash: 443
- file: 190.13.146.47
- hash: 443
- file: 200.55.168.82
- hash: 20
- file: 201.196.15.79
- hash: 990
- file: 203.99.182.135
- hash: 443
- file: 203.99.187.137
- hash: 443
- file: 203.99.188.203
- hash: 990
- file: 213.138.100.98
- hash: 8080
- file: 216.70.88.55
- hash: 8080
- file: 5.189.148.98
- hash: 8080
- file: 51.38.134.203
- hash: 8080
- file: 70.32.94.58
- hash: 8080
- file: 78.109.34.178
- hash: 443
- file: 83.169.33.157
- hash: 8080
- file: 91.109.5.28
- hash: 8080
- file: 93.78.205.196
- hash: 443
- file: 94.177.253.126
- hash: 80
- file: 95.216.207.86
- hash: 7080
- url: https://discaredforftp.000webhostapp.com/
- url: http://208.67.105.148/ser/five/fre.php
- url: http://95.216.206.219/
- url: http://78.47.106.78
- url: http://142.132.189.63
- url: http://yamacfirarda.ml
- url: http://karakterlihaberledenbi.co.vu/
- file: 159.203.86.86
- hash: 80
- url: http://sedesadre.gq/pkz/pws/fre.php
- url: https://107.148.129.129/visit.js
- file: 122.10.116.203
- hash: 443
- file: 23.106.215.60
- hash: 443
- url: http://88.198.94.71/1707
- url: http://49.12.113.223/1779
- url: http://88.198.94.71/1148
- url: https://allvip.cl/faua/index.php?qakbot.zip
- url: http://93.48.42.40:44723/mozi.m
- url: https://d2idc6pw30xvpl.cloudfront.net/s/ref=nb_sb_noss_1/167-3294888-026249/field-keywords=year
- domain: d2idc6pw30xvpl.cloudfront.net
- file: 52.200.176.43
- hash: 443
- file: 54.145.26.247
- hash: 4444
- url: http://88.214.27.53:50025/match
- url: https://google-help-center.tk:8443/_/scs/mail-static/_/js/
- domain: google-help-center.tk
- file: 61.80.41.232
- hash: 8443
- file: 91.227.41.144
- hash: 13353
- file: 45.82.251.34
- hash: 443
- url: http://telexmint.me/five/fre.php
- url: https://aaawwsqa.freemyip.com/jquery-3.3.1.min.js
- domain: aaawwsqa.freemyip.com
- file: 88.218.192.251
- hash: 443
- hash: 123c451c4d138fd989b0bfc7de36ff761f621eb3e780500e375840a8e879a876
- file: 3.6.115.64
- hash: 15504
- file: 185.196.20.55
- hash: 45433
- file: 91.121.228.166
- hash: 5200
- file: 85.208.136.178
- hash: 46539
- url: http://157.245.36.27/~dokterpol/?page=2874
- file: 172.86.120.146
- hash: 2819
- domain: svervhiubvdc.con-ip.com
- domain: ischishdiuchwdc.con-ip.com
- domain: craigjonson91211.freedynamicdns.net
- hash: d56e0fb0426930ff508f0df6554ecb1a6b70ce7990ed7e73c4e3352ac2276968
- hash: c48625cd4ab832541fa827b8e68c3b39a2922c04a3c192d7fd229c41d8e77e2b
- hash: 0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56
- hash: 1f353369c80de1b1e98ded84be361263e75f56c109764fa3f5fa1d9b1df3a0c9
- hash: 235c44be3c65568e1550596182f0fe3b1b3540c95b62e63a00e2a4853c561b2c
- hash: cbbb702f3317d7c2e99e511e7e48939c724423b5e38a15612d91864a70a3e707
- hash: a97f182e8e7da0854b932b946352626e4c94c6f1319ea6ddf5cefa854af93bd7
- hash: 80baf6c6e27444118817bb5ebe4050446e4f234282489332d317fa19934913ea
- hash: 5ae79021c1b884a698e1e18800c12bc63fb4a0211191d13dd63a0b83bd288834
- hash: da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108
- hash: 1a3f59635b53a4e566e86e77463ddf00bc1cdfeaa73e7b77e4cb5e258f1df118
- hash: e429e0cf2530d9a1440fc0a61ec38f93cd55f2da0e6c7d8d72df4ec4c5ecc4ff
- hash: 1ca0315b4ed932bf3ea6e9e9471a2afbb1c43d33d893bdc5d7f8b48be2baf503
- hash: 7d6e946592986be2a5f72c17860a55fcd18a8a42aa9b8ae32069627ad2539796
- hash: 62aff77eed81042691bd2337b9c675cf5d10d31f0b3960680fa1270154d4ca7c
- hash: 1e48f5be58b577bc76423894dadf647800f1da1afab2f3c1c82c08f3b66b4981
- hash: 2b0c6401f31023ee40977540238cda20cdd927558d800a5e7ff0e2fa8ace04b4
- hash: dc1034a26e7c697b316a3e8eb51dfe68698a5ee294027823fc4647bae25694e4
- hash: 4f1b5a53a30aa02c672842239a8473857e3bbaaa3c4a6cac65605b3829ed3a31
- hash: 4004cf36ae17446a2c683f8be9b80d07c4fa9a8c78fb18599ff9008be57f5c72
- hash: 2a22f5416355b1a39a14acb2cfcaa3aa969a70d7d3e85d7cd820ca247806c50f
- hash: a3d6b93a989a3c01c1fb9533afec47c873b00f5e40e7034712c6f95ed42881bc
- hash: f23af58c2cf4e24dc720b940dfcbb7a12793de187354f892b8ee9cbec7c3332e
- hash: f735176189587ba31681fd08f1e8dc8298eb0b1887ed3091c6e85f3a4ba1599d
- hash: c84e37c235b53b72969c85200697d8e7cc8c38ed44ad9c38e15fef6c238473ec
- hash: 9e7d3449b5afea0c2c1e06be18b6ea710c99c68a5c03fde36c19c2a3ba29f722
- hash: 185afea42a0851b228046a4aaf4b599e59ad346492ddd13680d1cfa9c870571a
- hash: a93db1bbcf9be3a8e15ddf1df78a95bb8e69ff52c758a55b136a427abf66f03b
- hash: 7c933af52cfba4d1fa17cb1d994d2c0f285bbb6660878902328ce812dd2d0642
- hash: 81896b1e18c213c95373294130d97fbb4bd2ec5a45c974e48d4b6b8367fab684
- hash: be3d69c486743a9f5256e8001ca0a067c3cececb2a169846b5a3ded8e09ec3eb
- hash: ec8ecee61aeab54e0622706710e9cbe56cdda7d2b47c5d13ef343092c868120c
- hash: 8c02124339be5c272b8336f1860504bce5e35943a371b718aebedd0404381c18
- hash: cde4a59a054d41733da3cf92c91fbe991b89419ac1d1d3ba6f26000000ff41ed
- hash: 3c31a9a5d752fa449405dffb75b64bbc72a2473ed02a4136bfc261d1923efc2e
- hash: c4ec6a66dd877688055a9949220ce8fbea8f51cdab01abf55a0ef3fcb97e8442
- hash: 9cba1fd2108274017e9b8bd06ace5a39ea3c6094813ddc3bbebfbecf8a693a7d
- hash: 5077460204027a210a9a197adae86e6c2b367bf7c20051cff3f9ae62e13713c8
- hash: fae47086c34007307f6e2cd0c47a97d8
ThreatFox IOCs for 2022-11-29
Medium
Published: Tue Nov 29 2022 (11/29/2022, 00:00:00 UTC)
Source: ThreatFox
Vendor/Project: type
Product: osint
Description
ThreatFox IOCs for 2022-11-29
AI-Powered Analysis
AILast updated: 06/18/2025, 08:05:34 UTC
Technical Analysis
The provided threat intelligence pertains to a collection of Indicators of Compromise (IOCs) published on November 29, 2022, by ThreatFox, a platform specializing in sharing threat intelligence data. The threat is categorized as malware-related and is associated with OSINT (Open Source Intelligence) data. However, the information lacks specific technical details such as affected software versions, exploit mechanisms, or concrete malware signatures. The threat level is indicated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting moderate distribution but limited analytical depth. No known exploits in the wild have been reported, and there are no associated Common Weakness Enumerations (CWEs) or patch links. The absence of indicators such as IP addresses, domains, or file hashes further limits the ability to perform targeted detection or response. Overall, this appears to be a medium-severity malware threat identified through OSINT channels, with limited actionable technical details available at this time.
Potential Impact
Given the lack of detailed technical information and the absence of known active exploits, the immediate impact on European organizations is likely limited. However, the presence of malware-related IOCs in OSINT repositories suggests potential reconnaissance or preparatory activities by threat actors. If these IOCs are integrated into detection systems, organizations could enhance their ability to identify early signs of compromise. The medium severity rating implies a moderate risk to confidentiality, integrity, or availability if exploited. European organizations, especially those relying on threat intelligence feeds for proactive defense, may benefit from monitoring these IOCs to prevent potential malware infections. The impact could escalate if these IOCs are linked to emerging malware campaigns targeting critical infrastructure, financial institutions, or government entities within Europe.
Mitigation Recommendations
1. Integrate ThreatFox IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection capabilities. 2. Conduct regular threat hunting exercises using the provided IOCs to identify any signs of compromise early. 3. Maintain updated malware definitions and ensure endpoint protection platforms are current to detect variants related to these IOCs. 4. Collaborate with national Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs) to receive timely updates on any developments related to these IOCs. 5. Implement network segmentation and strict access controls to limit potential malware spread if an infection occurs. 6. Educate security teams on the importance of OSINT-derived threat intelligence and encourage validation of such data before operational use. 7. Since no patches are available, focus on detection and containment strategies rather than remediation through software updates.
Affected Countries
Need more detailed analysis?Get Pro
Pro Feature
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- f97ed12f-9d04-4c6a-bc7b-4a9b70b0c1eb
- Original Timestamp
- 1669766584
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://cs.qaxc2.xyz/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://180.76.166.103/lsnmkxt/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.142.57.184/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.130.146.172/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.117.214.208:999/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.131.249.120:4433/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://update.northcentralus.cloudapp.azure.com/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://193.149.185.227/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://157.245.36.27/~dokterpol/?page=081599145 | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttp://45.139.105.174:1604/is-ready | Houdini botnet C2 (confidence level: 100%) | |
urlhttp://sempersim.su/gm15/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://157.245.36.27/~dokterpol/?page=2223396 | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttp://61839.clmonth.nyashteam.ru/nyashsupport.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://208.67.105.161/gk2/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttps://t.me/asifrazatg | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://steamcommunity.com/profiles/76561199439929669 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://45.8.145.230/1696 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.223/1679 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://95.217.29.31/1707 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://95.217.151.129/1760 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://88.198.94.71/1686 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://88.198.94.71/1711 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://185.138.164.149/1343 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://95.217.31.208/1779 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.223/1744 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://95.217.31.208/1707 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.223/1495 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://185.234.247.238/1343 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://45.8.145.230/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.6.206/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://88.198.94.71/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://45.15.156.38/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://43.142.193.86/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://tasty-reading-gw.aws-euw1.cloud-ara.tyk.io/fashion/openbsd/48hodho9jl | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://www.leatheus.tk:5433/fashion/openbsd/48hodho9jl | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://77.73.133.72/hfk3vk9/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://47.92.64.196:5555/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://42.193.112.134/maps/overlaybfpr | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.108.171:8080/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.136.169.209:479/duplex.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.93.212.101:9999/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://103.139.44.52/office365/csrss.exe | Loki Password Stealer (PWS) payload delivery URL (confidence level: 100%) | |
urlhttps://43.156.15.101:9443/www/handle/doc | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://wakawaka1.b0.aicdn.com/hahaha/yomobing | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://cs.imalloc.cn/media.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://110.41.131.105:9999/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://androidupdate1204.top | Hydra botnet C2 (confidence level: 80%) | |
urlhttp://116.202.6.206/1711 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://195.140.215.228/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://80.78.240.77/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://n58r7he6mxamd2u.gq | Alien botnet C2 (confidence level: 80%) | |
urlhttps://discaredforftp.000webhostapp.com/ | Azorult botnet C2 (confidence level: 75%) | |
urlhttp://208.67.105.148/ser/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://95.216.206.219/ | Alien botnet C2 (confidence level: 80%) | |
urlhttp://78.47.106.78 | Alien botnet C2 (confidence level: 80%) | |
urlhttp://142.132.189.63 | Alien botnet C2 (confidence level: 80%) | |
urlhttp://yamacfirarda.ml | Alien botnet C2 (confidence level: 80%) | |
urlhttp://karakterlihaberledenbi.co.vu/ | Alien botnet C2 (confidence level: 80%) | |
urlhttp://sedesadre.gq/pkz/pws/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttps://107.148.129.129/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://88.198.94.71/1707 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.223/1779 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://88.198.94.71/1148 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://allvip.cl/faua/index.php?qakbot.zip | QakBot payload delivery URL (confidence level: 100%) | |
urlhttp://93.48.42.40:44723/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttps://d2idc6pw30xvpl.cloudfront.net/s/ref=nb_sb_noss_1/167-3294888-026249/field-keywords=year | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://88.214.27.53:50025/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://google-help-center.tk:8443/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://telexmint.me/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttps://aaawwsqa.freemyip.com/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://157.245.36.27/~dokterpol/?page=2874 | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domaincs.qaxc2.xyz | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainupdate.northcentralus.cloudapp.azure.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainl41.sjys6.top | Mirai botnet C2 domain (confidence level: 100%) | |
domainiodhqowihdq2235df.ddns.net | Mirai botnet C2 domain (confidence level: 100%) | |
domain5o23hioifhiahdwaji.ddns.net | Mirai botnet C2 domain (confidence level: 100%) | |
domainkudcfe312.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainkudgpu14.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainkudmfa212.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainkudokq112.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainkudrot712.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainmortud03.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainpabryd01.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainsecnti08.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainsectow07.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainsecuog10.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainsecwjv03.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintamari03.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintamdur05.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintamepo01.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintamera07.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintamgav04.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintamlar10.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintamoes08.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintamori02.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintyslia13.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintystne110.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainyawsim75.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainguaracheza.pics | IcedID Downloader botnet C2 domain (confidence level: 75%) | |
domainstayersa.art | IcedID Downloader botnet C2 domain (confidence level: 75%) | |
domainwww.leatheus.tk | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwakawaka1.b0.aicdn.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincs.imalloc.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaininstallationupgrade6.com | Unknown malware botnet C2 domain (confidence level: 50%) | |
domaind2idc6pw30xvpl.cloudfront.net | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaingoogle-help-center.tk | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainaaawwsqa.freemyip.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainsvervhiubvdc.con-ip.com | Remcos botnet C2 domain (confidence level: 100%) | |
domainischishdiuchwdc.con-ip.com | Remcos botnet C2 domain (confidence level: 100%) | |
domaincraigjonson91211.freedynamicdns.net | Remcos botnet C2 domain (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file49.234.19.234 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file180.76.166.103 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.246.221.36 | Remcos botnet C2 server (confidence level: 75%) | |
file45.130.146.172 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.96.244.103 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file18.197.239.109 | NjRAT botnet C2 server (confidence level: 100%) | |
file37.0.14.198 | Ave Maria botnet C2 server (confidence level: 100%) | |
file89.44.9.153 | BumbleBee botnet C2 server (confidence level: 75%) | |
file108.62.118.70 | BumbleBee botnet C2 server (confidence level: 75%) | |
file104.219.233.41 | BumbleBee botnet C2 server (confidence level: 75%) | |
file142.11.199.235 | BumbleBee botnet C2 server (confidence level: 75%) | |
file45.195.53.11 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file185.246.221.12 | STRRAT botnet C2 server (confidence level: 100%) | |
file84.21.172.33 | Remcos botnet C2 server (confidence level: 75%) | |
file107.175.50.207 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file45.8.145.230 | Vidar botnet C2 server (confidence level: 100%) | |
file88.198.94.71 | Vidar botnet C2 server (confidence level: 100%) | |
file116.202.6.206 | Vidar botnet C2 server (confidence level: 100%) | |
file116.202.5.223 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file45.15.156.60 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file185.200.116.131 | Ave Maria botnet C2 server (confidence level: 100%) | |
file185.106.92.214 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file77.73.131.6 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file42.193.112.134 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file101.35.143.108 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file80.78.240.77 | Vidar botnet C2 server (confidence level: 100%) | |
file195.140.215.228 | Vidar botnet C2 server (confidence level: 100%) | |
file212.192.31.207 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file27.147.169.101 | NjRAT botnet C2 server (confidence level: 100%) | |
file20.171.84.250 | BitRAT botnet C2 server (confidence level: 100%) | |
file113.52.135.33 | Emotet botnet C2 server (confidence level: 75%) | |
file138.197.140.163 | Emotet botnet C2 server (confidence level: 75%) | |
file144.76.62.10 | Emotet botnet C2 server (confidence level: 75%) | |
file173.249.157.58 | Emotet botnet C2 server (confidence level: 75%) | |
file176.58.93.123 | Emotet botnet C2 server (confidence level: 75%) | |
file178.249.187.150 | Emotet botnet C2 server (confidence level: 75%) | |
file181.113.229.139 | Emotet botnet C2 server (confidence level: 75%) | |
file181.47.235.26 | Emotet botnet C2 server (confidence level: 75%) | |
file186.10.16.244 | Emotet botnet C2 server (confidence level: 75%) | |
file190.117.206.153 | Emotet botnet C2 server (confidence level: 75%) | |
file190.13.146.47 | Emotet botnet C2 server (confidence level: 75%) | |
file200.55.168.82 | Emotet botnet C2 server (confidence level: 75%) | |
file201.196.15.79 | Emotet botnet C2 server (confidence level: 75%) | |
file203.99.182.135 | Emotet botnet C2 server (confidence level: 75%) | |
file203.99.187.137 | Emotet botnet C2 server (confidence level: 75%) | |
file203.99.188.203 | Emotet botnet C2 server (confidence level: 75%) | |
file213.138.100.98 | Emotet botnet C2 server (confidence level: 75%) | |
file216.70.88.55 | Emotet botnet C2 server (confidence level: 75%) | |
file5.189.148.98 | Emotet botnet C2 server (confidence level: 75%) | |
file51.38.134.203 | Emotet botnet C2 server (confidence level: 75%) | |
file70.32.94.58 | Emotet botnet C2 server (confidence level: 75%) | |
file78.109.34.178 | Emotet botnet C2 server (confidence level: 75%) | |
file83.169.33.157 | Emotet botnet C2 server (confidence level: 75%) | |
file91.109.5.28 | Emotet botnet C2 server (confidence level: 75%) | |
file93.78.205.196 | Emotet botnet C2 server (confidence level: 75%) | |
file94.177.253.126 | Emotet botnet C2 server (confidence level: 75%) | |
file95.216.207.86 | Emotet botnet C2 server (confidence level: 75%) | |
file159.203.86.86 | PhotoLoader botnet C2 server (confidence level: 75%) | |
file122.10.116.203 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.106.215.60 | BumbleBee botnet C2 server (confidence level: 75%) | |
file52.200.176.43 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file54.145.26.247 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file61.80.41.232 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file91.227.41.144 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file45.82.251.34 | IcedID botnet C2 server (confidence level: 75%) | |
file88.218.192.251 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file3.6.115.64 | NjRAT botnet C2 server (confidence level: 100%) | |
file185.196.20.55 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file91.121.228.166 | Ave Maria botnet C2 server (confidence level: 100%) | |
file85.208.136.178 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file172.86.120.146 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash54794 | Remcos botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash12392 | NjRAT botnet C2 server (confidence level: 100%) | |
hash4424 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash28981 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash4648 | STRRAT botnet C2 server (confidence level: 100%) | |
hash5763 | Remcos botnet C2 server (confidence level: 75%) | |
hash20327 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash28786 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash39908 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash52239 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash2510 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash3346 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash5555 | NjRAT botnet C2 server (confidence level: 100%) | |
hash2288 | BitRAT botnet C2 server (confidence level: 100%) | |
hash7080 | Emotet botnet C2 server (confidence level: 75%) | |
hash8080 | Emotet botnet C2 server (confidence level: 75%) | |
hash8080 | Emotet botnet C2 server (confidence level: 75%) | |
hash8080 | Emotet botnet C2 server (confidence level: 75%) | |
hash80 | Emotet botnet C2 server (confidence level: 75%) | |
hash7080 | Emotet botnet C2 server (confidence level: 75%) | |
hash990 | Emotet botnet C2 server (confidence level: 75%) | |
hash993 | Emotet botnet C2 server (confidence level: 75%) | |
hash53 | Emotet botnet C2 server (confidence level: 75%) | |
hash443 | Emotet botnet C2 server (confidence level: 75%) | |
hash443 | Emotet botnet C2 server (confidence level: 75%) | |
hash20 | Emotet botnet C2 server (confidence level: 75%) | |
hash990 | Emotet botnet C2 server (confidence level: 75%) | |
hash443 | Emotet botnet C2 server (confidence level: 75%) | |
hash443 | Emotet botnet C2 server (confidence level: 75%) | |
hash990 | Emotet botnet C2 server (confidence level: 75%) | |
hash8080 | Emotet botnet C2 server (confidence level: 75%) | |
hash8080 | Emotet botnet C2 server (confidence level: 75%) | |
hash8080 | Emotet botnet C2 server (confidence level: 75%) | |
hash8080 | Emotet botnet C2 server (confidence level: 75%) | |
hash8080 | Emotet botnet C2 server (confidence level: 75%) | |
hash443 | Emotet botnet C2 server (confidence level: 75%) | |
hash8080 | Emotet botnet C2 server (confidence level: 75%) | |
hash8080 | Emotet botnet C2 server (confidence level: 75%) | |
hash443 | Emotet botnet C2 server (confidence level: 75%) | |
hash80 | Emotet botnet C2 server (confidence level: 75%) | |
hash7080 | Emotet botnet C2 server (confidence level: 75%) | |
hash80 | PhotoLoader botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash13353 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | IcedID botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash123c451c4d138fd989b0bfc7de36ff761f621eb3e780500e375840a8e879a876 | Emotet payload (confidence level: 50%) | |
hash15504 | NjRAT botnet C2 server (confidence level: 100%) | |
hash45433 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash5200 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash46539 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash2819 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hashd56e0fb0426930ff508f0df6554ecb1a6b70ce7990ed7e73c4e3352ac2276968 | Remcos payload (confidence level: 100%) | |
hashc48625cd4ab832541fa827b8e68c3b39a2922c04a3c192d7fd229c41d8e77e2b | Remcos payload (confidence level: 100%) | |
hash0ee05e5c62ae8786f7d318ea48edf16fcc47d6031e13a9dae563ec8efbcb3e56 | Remcos payload (confidence level: 100%) | |
hash1f353369c80de1b1e98ded84be361263e75f56c109764fa3f5fa1d9b1df3a0c9 | Remcos payload (confidence level: 100%) | |
hash235c44be3c65568e1550596182f0fe3b1b3540c95b62e63a00e2a4853c561b2c | Remcos payload (confidence level: 100%) | |
hashcbbb702f3317d7c2e99e511e7e48939c724423b5e38a15612d91864a70a3e707 | Remcos payload (confidence level: 100%) | |
hasha97f182e8e7da0854b932b946352626e4c94c6f1319ea6ddf5cefa854af93bd7 | Remcos payload (confidence level: 100%) | |
hash80baf6c6e27444118817bb5ebe4050446e4f234282489332d317fa19934913ea | Remcos payload (confidence level: 100%) | |
hash5ae79021c1b884a698e1e18800c12bc63fb4a0211191d13dd63a0b83bd288834 | Remcos payload (confidence level: 100%) | |
hashda59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108 | Remcos payload (confidence level: 100%) | |
hash1a3f59635b53a4e566e86e77463ddf00bc1cdfeaa73e7b77e4cb5e258f1df118 | Remcos payload (confidence level: 100%) | |
hashe429e0cf2530d9a1440fc0a61ec38f93cd55f2da0e6c7d8d72df4ec4c5ecc4ff | Remcos payload (confidence level: 100%) | |
hash1ca0315b4ed932bf3ea6e9e9471a2afbb1c43d33d893bdc5d7f8b48be2baf503 | Remcos payload (confidence level: 100%) | |
hash7d6e946592986be2a5f72c17860a55fcd18a8a42aa9b8ae32069627ad2539796 | Remcos payload (confidence level: 100%) | |
hash62aff77eed81042691bd2337b9c675cf5d10d31f0b3960680fa1270154d4ca7c | Remcos payload (confidence level: 100%) | |
hash1e48f5be58b577bc76423894dadf647800f1da1afab2f3c1c82c08f3b66b4981 | Remcos payload (confidence level: 100%) | |
hash2b0c6401f31023ee40977540238cda20cdd927558d800a5e7ff0e2fa8ace04b4 | Remcos payload (confidence level: 100%) | |
hashdc1034a26e7c697b316a3e8eb51dfe68698a5ee294027823fc4647bae25694e4 | Remcos payload (confidence level: 100%) | |
hash4f1b5a53a30aa02c672842239a8473857e3bbaaa3c4a6cac65605b3829ed3a31 | Remcos payload (confidence level: 100%) | |
hash4004cf36ae17446a2c683f8be9b80d07c4fa9a8c78fb18599ff9008be57f5c72 | Remcos payload (confidence level: 100%) | |
hash2a22f5416355b1a39a14acb2cfcaa3aa969a70d7d3e85d7cd820ca247806c50f | Remcos payload (confidence level: 100%) | |
hasha3d6b93a989a3c01c1fb9533afec47c873b00f5e40e7034712c6f95ed42881bc | Remcos payload (confidence level: 100%) | |
hashf23af58c2cf4e24dc720b940dfcbb7a12793de187354f892b8ee9cbec7c3332e | Remcos payload (confidence level: 100%) | |
hashf735176189587ba31681fd08f1e8dc8298eb0b1887ed3091c6e85f3a4ba1599d | Remcos payload (confidence level: 100%) | |
hashc84e37c235b53b72969c85200697d8e7cc8c38ed44ad9c38e15fef6c238473ec | Remcos payload (confidence level: 100%) | |
hash9e7d3449b5afea0c2c1e06be18b6ea710c99c68a5c03fde36c19c2a3ba29f722 | Remcos payload (confidence level: 100%) | |
hash185afea42a0851b228046a4aaf4b599e59ad346492ddd13680d1cfa9c870571a | Remcos payload (confidence level: 100%) | |
hasha93db1bbcf9be3a8e15ddf1df78a95bb8e69ff52c758a55b136a427abf66f03b | Remcos payload (confidence level: 100%) | |
hash7c933af52cfba4d1fa17cb1d994d2c0f285bbb6660878902328ce812dd2d0642 | Remcos payload (confidence level: 100%) | |
hash81896b1e18c213c95373294130d97fbb4bd2ec5a45c974e48d4b6b8367fab684 | Remcos payload (confidence level: 100%) | |
hashbe3d69c486743a9f5256e8001ca0a067c3cececb2a169846b5a3ded8e09ec3eb | Remcos payload (confidence level: 100%) | |
hashec8ecee61aeab54e0622706710e9cbe56cdda7d2b47c5d13ef343092c868120c | Remcos payload (confidence level: 100%) | |
hash8c02124339be5c272b8336f1860504bce5e35943a371b718aebedd0404381c18 | Remcos payload (confidence level: 100%) | |
hashcde4a59a054d41733da3cf92c91fbe991b89419ac1d1d3ba6f26000000ff41ed | Remcos payload (confidence level: 100%) | |
hash3c31a9a5d752fa449405dffb75b64bbc72a2473ed02a4136bfc261d1923efc2e | Remcos payload (confidence level: 100%) | |
hashc4ec6a66dd877688055a9949220ce8fbea8f51cdab01abf55a0ef3fcb97e8442 | Remcos payload (confidence level: 100%) | |
hash9cba1fd2108274017e9b8bd06ace5a39ea3c6094813ddc3bbebfbecf8a693a7d | Remcos payload (confidence level: 100%) | |
hash5077460204027a210a9a197adae86e6c2b367bf7c20051cff3f9ae62e13713c8 | Remcos payload (confidence level: 100%) | |
hashfae47086c34007307f6e2cd0c47a97d8 | Loda payload (confidence level: 50%) |
Threat ID: 682acdc4bbaf20d303f215a3
Added to database: 5/19/2025, 6:20:52 AM
Last enriched: 6/18/2025, 8:05:34 AM
Last updated: 8/13/2025, 12:03:46 AM
Views: 13
Related Threats
ThreatFox IOCs for 2025-08-13
MediumMalwareThu Aug 14 2025
Efimer Trojan Steals Crypto, Hacks WordPress Sites via Torrents and Phishing
MediumMalwareWed Aug 13 2025
Silent Watcher: Dissecting Cmimai Stealer's VBS Payload
MediumMalwareWed Aug 13 2025
CastleLoader Analysis
MediumMalwareWed Aug 13 2025
The Dark Side of Parental Control Apps
MediumMalwareWed Aug 13 2025
Actions
PRO
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Please log in to the Console to use AI analysis features.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.