ThreatFox IOCs for 2023-01-11
ThreatFox IOCs for 2023-01-11
AI Analysis
Technical Summary
The provided information pertains to a set of Indicators of Compromise (IOCs) published on January 11, 2023, by the ThreatFox MISP Feed. These IOCs are related to malware activities categorized under OSINT (Open Source Intelligence), network activity, and payload delivery. The data does not specify particular malware families, affected software versions, or detailed technical characteristics, but it highlights the presence of threat intelligence indicators that can be used to detect or investigate malicious activity. The threat level is indicated as medium, with no known exploits in the wild and no patches available, suggesting that this is primarily intelligence data rather than a newly discovered vulnerability or active exploit. The lack of specific CWEs and affected versions implies that this intelligence is focused on detection and monitoring rather than immediate remediation of a software flaw. The threat involves network activity and payload delivery, which typically means that the malware or threat actors use network communications to deliver malicious payloads, potentially enabling unauthorized access, data exfiltration, or further compromise. The TLP (Traffic Light Protocol) is white, indicating that the information is intended for public sharing without restriction. Overall, this threat intelligence is valuable for security teams to enhance their detection capabilities and situational awareness but does not describe a direct exploit or vulnerability requiring immediate patching.
Potential Impact
For European organizations, the impact of this threat intelligence lies in its utility for improving detection and response rather than indicating an active or imminent attack vector. Since the IOCs relate to malware and network activity, organizations that do not incorporate these indicators into their security monitoring may face increased risk of undetected compromise or delayed incident response. The absence of known exploits and patches suggests that the threat is not currently causing widespread damage but could be leveraged by threat actors if combined with other vulnerabilities or social engineering tactics. European entities with extensive network infrastructure, especially those in critical sectors such as finance, energy, and government, could benefit from integrating these IOCs into their security information and event management (SIEM) systems and threat intelligence platforms to enhance their defensive posture. However, the direct operational impact is likely limited unless these IOCs correspond to active campaigns targeting specific organizations.
Mitigation Recommendations
To mitigate risks associated with the threat intelligence provided, European organizations should: 1) Integrate the ThreatFox IOCs into their existing threat intelligence platforms and SIEM tools to enable automated detection of related malicious activity. 2) Conduct network traffic analysis focusing on indicators related to payload delivery and unusual network communications that match the IOCs. 3) Enhance endpoint detection and response (EDR) capabilities to identify and contain malware behaviors associated with the indicators. 4) Share relevant findings with industry Information Sharing and Analysis Centers (ISACs) to improve collective defense. 5) Maintain robust network segmentation and least privilege access controls to limit potential lateral movement if a compromise occurs. 6) Regularly update and test incident response plans to ensure readiness in case these indicators correspond to active threats. Since no patches are available, emphasis should be on detection, containment, and response rather than remediation of a software vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
Indicators of Compromise
- url: http://871356.clmonth.nyashteam.top/nyashsupport.php
- domain: pleasetake.pictures
- file: 3.122.103.39
- hash: 4433
- file: 23.227.202.66
- hash: 443
- file: 185.48.86.75
- hash: 9000
- file: 185.48.86.75
- hash: 3002
- file: 185.48.86.75
- hash: 3301
- file: 185.48.86.75
- hash: 22222
- file: 49.234.152.199
- hash: 80
- file: 106.55.2.194
- hash: 2095
- url: http://82.146.34.244/pipe_bigloadgeneratorlocal.php
- file: 37.38.244.230
- hash: 1449
- url: http://193.47.61.99/cm
- file: 193.47.61.99
- hash: 80
- url: http://54.151.146.41/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- file: 54.151.146.41
- hash: 80
- url: http://101.33.125.241:4444/en_us/all.js
- file: 116.202.3.55
- hash: 28786
- file: 45.138.16.148
- hash: 5050
- file: 45.89.54.61
- hash: 80
- file: 49.12.203.54
- hash: 80
- file: 51.178.186.12
- hash: 80
- file: 64.190.113.112
- hash: 80
- file: 77.73.133.90
- hash: 80
- file: 79.137.206.22
- hash: 80
- file: 81.19.140.95
- hash: 80
- file: 88.119.170.121
- hash: 80
- file: 89.23.96.13
- hash: 80
- file: 91.240.84.153
- hash: 80
- file: 103.219.154.115
- hash: 80
- file: 130.0.234.116
- hash: 80
- file: 146.19.170.164
- hash: 80
- file: 146.70.101.78
- hash: 80
- file: 146.70.104.186
- hash: 80
- file: 162.55.37.54
- hash: 80
- file: 185.181.10.208
- hash: 80
- file: 195.133.40.9
- hash: 80
- file: 212.118.36.51
- hash: 80
- url: http://windowsign.theworkpc.com/pollbigloaddefaultdbbase.php
- file: 82.115.223.77
- hash: 8081
- file: 85.192.63.77
- hash: 8081
- file: 89.23.97.58
- hash: 8081
- file: 157.90.232.2
- hash: 8081
- url: http://158447.clmonth.nyashteam.top/nyashsupport.php
- hash: 381134ea0f0be535b9d2ce8a94093576
- url: http://42.224.213.130:35049/mozi.m
- file: 217.64.127.195
- hash: 52651
- file: 220.135.222.186
- hash: 8080
- file: 58.177.98.79
- hash: 8080
- file: 94.10.67.162
- hash: 8080
- file: 118.167.131.52
- hash: 8080
- file: 118.167.144.103
- hash: 8080
- file: 218.221.150.148
- hash: 8080
- file: 61.68.74.170
- hash: 8080
- file: 10.5.247.128
- hash: 52651
- file: 212.22.77.79
- hash: 80
- file: 195.2.78.146
- hash: 80
- url: http://185.246.90.205/libsystem.so
- url: http://185.246.90.205/curl-amd64
- url: http://185.246.90.205/kinsing
- file: 185.246.90.205
- hash: 80
- file: 45.138.16.40
- hash: 4782
- url: http://172.81.180.176/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://79.137.207.152/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://94.131.98.88/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://157.254.195.56/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://77.73.134.36/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://130.0.234.116/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://146.70.86.253/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://45.15.156.120/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://45.61.139.2/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://167.235.29.56/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- file: 185.87.48.183
- hash: 80
- file: 79.137.207.152
- hash: 80
- url: http://142.132.168.13/821
- url: http://142.132.168.13/27
- url: http://142.132.168.13/588
- url: http://116.202.7.135/817
- url: http://142.132.168.13/670
- url: http://142.132.168.13/811
- url: http://116.202.7.135/762
- url: http://142.132.168.13/683
- url: http://78.46.148.93/19
- url: http://142.132.168.13/560
- url: http://65.109.164.83/661
- file: 185.222.58.68
- hash: 7777
- url: https://doyiduzu.com/fabricate/privacypolicy/58u2fpavh92u
- domain: doyiduzu.com
- url: https://23.108.57.74/fabricate/privacypolicy/58u2fpavh92u
- file: 23.108.57.74
- hash: 443
- url: http://147.78.47.131/push
- file: 79.137.202.45
- hash: 80
- file: 79.137.202.45
- hash: 443
- url: https://allowedcloud.com/ur.html
- domain: allowedcloud.com
- url: http://91.213.50.75/__utm.gif
- hash: 5c7fb0927db37372da25f270708103a2
- url: http://91.213.50.75:8010/ptj
- url: http://allowedcloud.com/ee
- file: 23.227.202.66
- hash: 80
- url: https://redirect.frontlinepay.us/fwlink
- domain: redirect.frontlinepay.us
- file: 20.9.56.158
- hash: 443
- hash: 69c8f26359a2f91a60c66023180491f7
- url: https://svchost20230103.ddnsfree.com/dynu-3.3.1.min.js
- domain: svchost20230103.ddnsfree.com
- file: 24.199.120.37
- hash: 443
- file: 157.90.232.2
- hash: 80
- file: 89.23.97.58
- hash: 80
- file: 85.192.63.77
- hash: 80
- url: http://cs.newbird.cf/updates.rss
- domain: cs.newbird.cf
- file: 185.146.88.243
- hash: 2404
- hash: 1dba6023c933a8d7a9a6623c158bc4b7
- file: 37.0.14.207
- hash: 2404
- url: http://navylin.com/autopoisonous/4fzqw/
- url: http://asrani.garudaputih.com/nutabalong/bjyqouir99qnfopdx/
- url: http://db.rikaz.tech/lcx76ilkrbtesqnfa7/zpyjzponzstnoirhob/
- file: 10.9.0.26
- hash: 10929
- file: 45.139.105.174
- hash: 10929
- file: 101.42.46.117
- hash: 80
- file: 157.245.102.164
- hash: 443
- file: 173.82.196.58
- hash: 443
- file: 103.45.143.169
- hash: 80
- file: 47.113.224.80
- hash: 80
- file: 193.111.248.239
- hash: 10134
- hash: cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb
- hash: 2c6f8842494083e7ff70f648a116c74a22a470e7fab297cded5927f555a7fc6e
- url: http://5.75.182.6/
- file: 78.47.172.233
- hash: 80
- url: http://83.97.20.139/
- url: http://78.47.172.233:80
- file: 194.5.212.164
- hash: 3368
- domain: acordadeumavez.mom
- domain: aesulluzetecnologia.hair
- domain: anonovovidanova.mom
- domain: nemtusabeoqquer.skin
- domain: olhaaiquetendel.mom
- domain: omaigod.skin
- domain: sejaumapessoaboa.hair
- domain: semmaldade.mom
- domain: teligameu.hair
- domain: tudopassa.skin
- domain: vamocaralho.skin
- url: https://1.15.247.249:8088/ie9compatviewlist.xml
- file: 107.189.10.180
- hash: 3778
- file: 108.62.118.219
- hash: 443
- file: 49.12.113.110
- hash: 80
- url: http://49.12.113.110/408
- url: http://49.12.113.110/682
- url: http://142.132.168.13/408
- url: http://49.12.113.110/583
- url: http://49.12.113.110/762
- url: http://49.12.113.110/26
- url: http://78.46.148.93/736
- url: http://116.202.7.135/583
- url: http://5.75.203.81/698
- url: http://49.12.113.110/767
- url: http://49.12.113.110/494
- url: http://78.46.148.93/756
- url: http://49.12.113.110/817
- url: http://49.12.113.110/24
- url: http://142.132.168.13/24
- url: http://49.12.113.110/802
- url: http://49.12.113.110/724
- file: 65.21.237.20
- hash: 43077
- url: https://103.131.189.217/hpimagearchive.aspx
- file: 103.131.189.217
- hash: 443
- file: 37.130.119.233
- hash: 40294
- file: 91.238.50.101
- hash: 443
- file: 5.75.145.16
- hash: 37638
- file: 82.115.223.46
- hash: 57672
- file: 82.115.223.138
- hash: 35316
- domain: searchme.top
- domain: spicymeat.top
- url: http://37.220.87.38/
- url: http://94.131.107.176/
- url: http://37.220.87.38/700baf032ce70b3e36bb09314071637a
- url: http://freashalbany.site11.com/gate.php
- domain: sncrack.xyz
- domain: alphasoft.pro
- domain: whitecracks.com
- domain: sakurasoft.pro
- domain: ytsoftware.info
- domain: milkagames.info
- domain: softview.site
- domain: heroncloud.art
- domain: creativespirit.me
- domain: side-soft.com
- domain: tensoft.online
- domain: tensoft.best
- domain: cloudsoft.club
- domain: markjulianlerner.com
- domain: josephthomaskurzeja.com
- file: 103.37.86.14
- hash: 443
- file: 46.176.173.2
- hash: 995
- file: 80.121.53.116
- hash: 443
- file: 85.74.155.45
- hash: 2222
- file: 178.142.122.255
- hash: 443
- file: 82.15.58.109
- hash: 2222
- file: 102.158.90.125
- hash: 443
- file: 47.16.66.61
- hash: 2222
- file: 87.223.93.233
- hash: 443
- file: 105.68.197.223
- hash: 995
- file: 90.75.188.155
- hash: 2222
- url: http://47.102.110.41:7766/fwlink
- file: 93.56.127.246
- hash: 5552
- url: http://49.12.113.110/641
- url: http://142.132.168.13/724
- file: 45.14.165.18
- hash: 44810
- file: 18.197.239.109
- hash: 18280
- file: 3.69.157.220
- hash: 18280
- file: 179.43.154.136
- hash: 60195
- file: 3.69.115.178
- hash: 18280
ThreatFox IOCs for 2023-01-11
Description
ThreatFox IOCs for 2023-01-11
AI-Powered Analysis
Technical Analysis
The provided information pertains to a set of Indicators of Compromise (IOCs) published on January 11, 2023, by the ThreatFox MISP Feed. These IOCs are related to malware activities categorized under OSINT (Open Source Intelligence), network activity, and payload delivery. The data does not specify particular malware families, affected software versions, or detailed technical characteristics, but it highlights the presence of threat intelligence indicators that can be used to detect or investigate malicious activity. The threat level is indicated as medium, with no known exploits in the wild and no patches available, suggesting that this is primarily intelligence data rather than a newly discovered vulnerability or active exploit. The lack of specific CWEs and affected versions implies that this intelligence is focused on detection and monitoring rather than immediate remediation of a software flaw. The threat involves network activity and payload delivery, which typically means that the malware or threat actors use network communications to deliver malicious payloads, potentially enabling unauthorized access, data exfiltration, or further compromise. The TLP (Traffic Light Protocol) is white, indicating that the information is intended for public sharing without restriction. Overall, this threat intelligence is valuable for security teams to enhance their detection capabilities and situational awareness but does not describe a direct exploit or vulnerability requiring immediate patching.
Potential Impact
For European organizations, the impact of this threat intelligence lies in its utility for improving detection and response rather than indicating an active or imminent attack vector. Since the IOCs relate to malware and network activity, organizations that do not incorporate these indicators into their security monitoring may face increased risk of undetected compromise or delayed incident response. The absence of known exploits and patches suggests that the threat is not currently causing widespread damage but could be leveraged by threat actors if combined with other vulnerabilities or social engineering tactics. European entities with extensive network infrastructure, especially those in critical sectors such as finance, energy, and government, could benefit from integrating these IOCs into their security information and event management (SIEM) systems and threat intelligence platforms to enhance their defensive posture. However, the direct operational impact is likely limited unless these IOCs correspond to active campaigns targeting specific organizations.
Mitigation Recommendations
To mitigate risks associated with the threat intelligence provided, European organizations should: 1) Integrate the ThreatFox IOCs into their existing threat intelligence platforms and SIEM tools to enable automated detection of related malicious activity. 2) Conduct network traffic analysis focusing on indicators related to payload delivery and unusual network communications that match the IOCs. 3) Enhance endpoint detection and response (EDR) capabilities to identify and contain malware behaviors associated with the indicators. 4) Share relevant findings with industry Information Sharing and Analysis Centers (ISACs) to improve collective defense. 5) Maintain robust network segmentation and least privilege access controls to limit potential lateral movement if a compromise occurs. 6) Regularly update and test incident response plans to ensure readiness in case these indicators correspond to active threats. Since no patches are available, emphasis should be on detection, containment, and response rather than remediation of a software vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- fc6f1dc1-1a0a-461a-b61d-853a3a6849df
- Original Timestamp
- 1673481783
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://871356.clmonth.nyashteam.top/nyashsupport.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://82.146.34.244/pipe_bigloadgeneratorlocal.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://193.47.61.99/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://54.151.146.41/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.33.125.241:4444/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://windowsign.theworkpc.com/pollbigloaddefaultdbbase.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://158447.clmonth.nyashteam.top/nyashsupport.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://42.224.213.130:35049/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://185.246.90.205/libsystem.so | Kinsing payload delivery URL (confidence level: 100%) | |
urlhttp://185.246.90.205/curl-amd64 | Kinsing payload delivery URL (confidence level: 100%) | |
urlhttp://185.246.90.205/kinsing | Kinsing payload delivery URL (confidence level: 100%) | |
urlhttp://172.81.180.176/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://79.137.207.152/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://94.131.98.88/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://157.254.195.56/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://77.73.134.36/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://130.0.234.116/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://146.70.86.253/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://45.15.156.120/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://45.61.139.2/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://167.235.29.56/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/821 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/27 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/588 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.7.135/817 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/670 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/811 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.7.135/762 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/683 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://78.46.148.93/19 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/560 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://65.109.164.83/661 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://doyiduzu.com/fabricate/privacypolicy/58u2fpavh92u | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://23.108.57.74/fabricate/privacypolicy/58u2fpavh92u | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://147.78.47.131/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://allowedcloud.com/ur.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://91.213.50.75/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://91.213.50.75:8010/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://allowedcloud.com/ee | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://redirect.frontlinepay.us/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://svchost20230103.ddnsfree.com/dynu-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://cs.newbird.cf/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://navylin.com/autopoisonous/4fzqw/ | Emotet payload delivery URL (confidence level: 100%) | |
urlhttp://asrani.garudaputih.com/nutabalong/bjyqouir99qnfopdx/ | Emotet payload delivery URL (confidence level: 100%) | |
urlhttp://db.rikaz.tech/lcx76ilkrbtesqnfa7/zpyjzponzstnoirhob/ | Emotet payload delivery URL (confidence level: 100%) | |
urlhttp://5.75.182.6/ | Arkei Stealer botnet C2 (confidence level: 100%) | |
urlhttp://83.97.20.139/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://78.47.172.233:80 | Vidar botnet C2 (confidence level: 50%) | |
urlhttps://1.15.247.249:8088/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/408 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/682 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/408 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/583 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/762 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/26 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://78.46.148.93/736 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.7.135/583 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://5.75.203.81/698 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/767 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/494 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://78.46.148.93/756 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/817 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/24 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/24 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/802 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/724 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://103.131.189.217/hpimagearchive.aspx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://37.220.87.38/ | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://94.131.107.176/ | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://37.220.87.38/700baf032ce70b3e36bb09314071637a | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://freashalbany.site11.com/gate.php | Pony botnet C2 (confidence level: 100%) | |
urlhttp://47.102.110.41:7766/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/641 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/724 | Vidar botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainpleasetake.pictures | Amadey botnet C2 domain (confidence level: 50%) | |
domaindoyiduzu.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainallowedcloud.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainredirect.frontlinepay.us | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainsvchost20230103.ddnsfree.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincs.newbird.cf | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainacordadeumavez.mom | Astaroth botnet C2 domain (confidence level: 100%) | |
domainaesulluzetecnologia.hair | Astaroth botnet C2 domain (confidence level: 100%) | |
domainanonovovidanova.mom | Astaroth botnet C2 domain (confidence level: 100%) | |
domainnemtusabeoqquer.skin | Astaroth botnet C2 domain (confidence level: 100%) | |
domainolhaaiquetendel.mom | Astaroth botnet C2 domain (confidence level: 100%) | |
domainomaigod.skin | Astaroth botnet C2 domain (confidence level: 100%) | |
domainsejaumapessoaboa.hair | Astaroth botnet C2 domain (confidence level: 100%) | |
domainsemmaldade.mom | Astaroth botnet C2 domain (confidence level: 100%) | |
domainteligameu.hair | Astaroth botnet C2 domain (confidence level: 100%) | |
domaintudopassa.skin | Astaroth botnet C2 domain (confidence level: 100%) | |
domainvamocaralho.skin | Astaroth payload delivery domain (confidence level: 100%) | |
domainsearchme.top | RedLine Stealer botnet C2 domain (confidence level: 100%) | |
domainspicymeat.top | RedLine Stealer botnet C2 domain (confidence level: 100%) | |
domainsncrack.xyz | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainalphasoft.pro | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainwhitecracks.com | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainsakurasoft.pro | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainytsoftware.info | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainmilkagames.info | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainsoftview.site | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainheroncloud.art | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domaincreativespirit.me | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainside-soft.com | Raccoon payload delivery domain (confidence level: 75%) | |
domaintensoft.online | Raccoon payload delivery domain (confidence level: 75%) | |
domaintensoft.best | Raccoon payload delivery domain (confidence level: 75%) | |
domaincloudsoft.club | Vidar payload delivery domain (confidence level: 75%) | |
domainmarkjulianlerner.com | LaplasClipper payload delivery domain (confidence level: 75%) | |
domainjosephthomaskurzeja.com | LaplasClipper payload delivery domain (confidence level: 75%) |
File
| Value | Description | Copy |
|---|---|---|
file3.122.103.39 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file23.227.202.66 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file185.48.86.75 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file185.48.86.75 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file185.48.86.75 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file185.48.86.75 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file49.234.152.199 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file106.55.2.194 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file37.38.244.230 | NjRAT botnet C2 server (confidence level: 100%) | |
file193.47.61.99 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file54.151.146.41 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file116.202.3.55 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file45.138.16.148 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file45.89.54.61 | Raccoon botnet C2 server (confidence level: 100%) | |
file49.12.203.54 | Raccoon botnet C2 server (confidence level: 100%) | |
file51.178.186.12 | Raccoon botnet C2 server (confidence level: 100%) | |
file64.190.113.112 | Raccoon botnet C2 server (confidence level: 100%) | |
file77.73.133.90 | Raccoon botnet C2 server (confidence level: 100%) | |
file79.137.206.22 | Raccoon botnet C2 server (confidence level: 100%) | |
file81.19.140.95 | Raccoon botnet C2 server (confidence level: 100%) | |
file88.119.170.121 | Raccoon botnet C2 server (confidence level: 100%) | |
file89.23.96.13 | Raccoon botnet C2 server (confidence level: 100%) | |
file91.240.84.153 | Raccoon botnet C2 server (confidence level: 100%) | |
file103.219.154.115 | Raccoon botnet C2 server (confidence level: 100%) | |
file130.0.234.116 | Raccoon botnet C2 server (confidence level: 100%) | |
file146.19.170.164 | Raccoon botnet C2 server (confidence level: 100%) | |
file146.70.101.78 | Raccoon botnet C2 server (confidence level: 100%) | |
file146.70.104.186 | Raccoon botnet C2 server (confidence level: 100%) | |
file162.55.37.54 | Raccoon botnet C2 server (confidence level: 100%) | |
file185.181.10.208 | Raccoon botnet C2 server (confidence level: 100%) | |
file195.133.40.9 | Raccoon botnet C2 server (confidence level: 100%) | |
file212.118.36.51 | Raccoon botnet C2 server (confidence level: 100%) | |
file82.115.223.77 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
file85.192.63.77 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
file89.23.97.58 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
file157.90.232.2 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
file217.64.127.195 | Remcos botnet C2 server (confidence level: 100%) | |
file220.135.222.186 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file58.177.98.79 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file94.10.67.162 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file118.167.131.52 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file118.167.144.103 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file218.221.150.148 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file61.68.74.170 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file10.5.247.128 | Remcos botnet C2 server (confidence level: 75%) | |
file212.22.77.79 | Kinsing botnet C2 server (confidence level: 75%) | |
file195.2.78.146 | Kinsing botnet C2 server (confidence level: 75%) | |
file185.246.90.205 | Kinsing payload delivery server (confidence level: 75%) | |
file45.138.16.40 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file185.87.48.183 | Kinsing botnet C2 server (confidence level: 75%) | |
file79.137.207.152 | Raccoon botnet C2 server (confidence level: 100%) | |
file185.222.58.68 | STRRAT botnet C2 server (confidence level: 100%) | |
file23.108.57.74 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file79.137.202.45 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file79.137.202.45 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.227.202.66 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file20.9.56.158 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file24.199.120.37 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file157.90.232.2 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
file89.23.97.58 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
file85.192.63.77 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
file185.146.88.243 | Remcos botnet C2 server (confidence level: 75%) | |
file37.0.14.207 | Remcos botnet C2 server (confidence level: 100%) | |
file10.9.0.26 | Remcos botnet C2 server (confidence level: 75%) | |
file45.139.105.174 | Remcos botnet C2 server (confidence level: 75%) | |
file101.42.46.117 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file157.245.102.164 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file173.82.196.58 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file103.45.143.169 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file47.113.224.80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file193.111.248.239 | Orcus RAT botnet C2 server (confidence level: 100%) | |
file78.47.172.233 | Vidar botnet C2 server (confidence level: 50%) | |
file194.5.212.164 | NetWire RC botnet C2 server (confidence level: 100%) | |
file107.189.10.180 | Mirai botnet C2 server (confidence level: 75%) | |
file108.62.118.219 | BumbleBee botnet C2 server (confidence level: 75%) | |
file49.12.113.110 | Vidar botnet C2 server (confidence level: 100%) | |
file65.21.237.20 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file103.131.189.217 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file37.130.119.233 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file91.238.50.101 | IcedID botnet C2 server (confidence level: 75%) | |
file5.75.145.16 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file82.115.223.46 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file82.115.223.138 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file103.37.86.14 | QakBot botnet C2 server (confidence level: 100%) | |
file46.176.173.2 | QakBot botnet C2 server (confidence level: 100%) | |
file80.121.53.116 | QakBot botnet C2 server (confidence level: 100%) | |
file85.74.155.45 | QakBot botnet C2 server (confidence level: 100%) | |
file178.142.122.255 | QakBot botnet C2 server (confidence level: 100%) | |
file82.15.58.109 | QakBot botnet C2 server (confidence level: 100%) | |
file102.158.90.125 | QakBot botnet C2 server (confidence level: 100%) | |
file47.16.66.61 | QakBot botnet C2 server (confidence level: 100%) | |
file87.223.93.233 | QakBot botnet C2 server (confidence level: 100%) | |
file105.68.197.223 | QakBot botnet C2 server (confidence level: 100%) | |
file90.75.188.155 | QakBot botnet C2 server (confidence level: 100%) | |
file93.56.127.246 | NjRAT botnet C2 server (confidence level: 100%) | |
file45.14.165.18 | N-W0rm botnet C2 server (confidence level: 100%) | |
file18.197.239.109 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.69.157.220 | NjRAT botnet C2 server (confidence level: 100%) | |
file179.43.154.136 | Mirai botnet C2 server (confidence level: 75%) | |
file3.69.115.178 | NjRAT botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash4433 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash9000 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash3002 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash3301 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash22222 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash2095 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash1449 | NjRAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash28786 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash5050 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
hash8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
hash8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
hash8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
hash381134ea0f0be535b9d2ce8a94093576 | CryCryptor payload (confidence level: 50%) | |
hash52651 | Remcos botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash52651 | Remcos botnet C2 server (confidence level: 75%) | |
hash80 | Kinsing botnet C2 server (confidence level: 75%) | |
hash80 | Kinsing botnet C2 server (confidence level: 75%) | |
hash80 | Kinsing payload delivery server (confidence level: 75%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Kinsing botnet C2 server (confidence level: 75%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash7777 | STRRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash5c7fb0927db37372da25f270708103a2 | WannaCryptor payload (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash69c8f26359a2f91a60c66023180491f7 | Xloader payload (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
hash80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
hash80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
hash2404 | Remcos botnet C2 server (confidence level: 75%) | |
hash1dba6023c933a8d7a9a6623c158bc4b7 | Gozi payload (confidence level: 50%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash10929 | Remcos botnet C2 server (confidence level: 75%) | |
hash10929 | Remcos botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash10134 | Orcus RAT botnet C2 server (confidence level: 100%) | |
hashcb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb | Gozi payload (confidence level: 50%) | |
hash2c6f8842494083e7ff70f648a116c74a22a470e7fab297cded5927f555a7fc6e | DCRat payload (confidence level: 50%) | |
hash80 | Vidar botnet C2 server (confidence level: 50%) | |
hash3368 | NetWire RC botnet C2 server (confidence level: 100%) | |
hash3778 | Mirai botnet C2 server (confidence level: 75%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash43077 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash40294 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | IcedID botnet C2 server (confidence level: 75%) | |
hash37638 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash57672 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash35316 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash995 | QakBot botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash2222 | QakBot botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash2222 | QakBot botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash2222 | QakBot botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash995 | QakBot botnet C2 server (confidence level: 100%) | |
hash2222 | QakBot botnet C2 server (confidence level: 100%) | |
hash5552 | NjRAT botnet C2 server (confidence level: 100%) | |
hash44810 | N-W0rm botnet C2 server (confidence level: 100%) | |
hash18280 | NjRAT botnet C2 server (confidence level: 100%) | |
hash18280 | NjRAT botnet C2 server (confidence level: 100%) | |
hash60195 | Mirai botnet C2 server (confidence level: 75%) | |
hash18280 | NjRAT botnet C2 server (confidence level: 100%) |
Threat ID: 68359c9d5d5f0974d01f3804
Added to database: 5/27/2025, 11:06:05 AM
Last enriched: 7/5/2025, 11:11:39 PM
Last updated: 8/16/2025, 12:37:36 PM
Views: 11
Related Threats
ThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.