ThreatFox IOCs for 2023-01-11
ThreatFox IOCs for 2023-01-11
AI Analysis
Technical Summary
The provided threat information pertains to a set of Indicators of Compromise (IOCs) published on January 11, 2023, by ThreatFox, a platform known for sharing threat intelligence data. The threat is categorized as malware-related, specifically focusing on OSINT (Open Source Intelligence), network activity, and payload delivery. However, the details are limited, with no affected software versions, no known exploits in the wild, and no patches available. The threat level is rated as medium, with a threat level score of 2 on an unspecified scale, indicating a moderate concern. The absence of specific technical indicators or detailed malware behavior suggests this is a collection or report of IOCs rather than a newly discovered malware strain or vulnerability. The primary purpose appears to be the dissemination of intelligence related to network activity and payload delivery mechanisms, which could be used by defenders to detect or mitigate ongoing or future attacks. The lack of CWE identifiers and the absence of patch information imply that this is not a vulnerability in software but rather a threat intelligence update about malware activity patterns or infrastructure. The threat does not require authentication or user interaction for exploitation, as it relates to network activity and payload delivery, but without explicit exploitation details, the exact attack vector remains unclear. Overall, this threat intelligence update serves as a resource for security teams to enhance detection capabilities rather than indicating an immediate, exploitable vulnerability or active widespread attack campaign.
Potential Impact
For European organizations, the impact of this threat is primarily related to the potential for increased exposure to malware delivery and network-based attacks. Since the threat involves OSINT and payload delivery, it could facilitate targeted attacks that leverage publicly available information to craft more effective phishing campaigns or network intrusions. The medium severity rating suggests that while the threat is not currently causing widespread disruption, it could enable attackers to compromise systems, leading to potential data breaches, service interruptions, or unauthorized access. Organizations that rely heavily on networked infrastructure and have limited visibility into network traffic may be more vulnerable. Additionally, sectors with high-value data or critical infrastructure could face elevated risks if threat actors use these IOCs to tailor attacks. However, the absence of known exploits in the wild and lack of patchable vulnerabilities reduces the immediate risk of large-scale exploitation. The main concern is the potential for these IOCs to inform future attacks, making proactive detection and response capabilities essential.
Mitigation Recommendations
Given the nature of this threat as an OSINT and network activity-related malware indicator set, European organizations should focus on enhancing their threat detection and response mechanisms. Specific recommendations include: 1) Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and Intrusion Detection/Prevention Systems (IDS/IPS) to improve detection of related network activity and payload delivery attempts. 2) Conduct regular network traffic analysis to identify anomalous patterns that may correspond to the reported IOCs, focusing on unusual outbound connections or payload transfers. 3) Employ threat hunting exercises using the IOCs to proactively identify potential compromises or reconnaissance activities within the network. 4) Enhance employee awareness training about phishing and social engineering tactics that may leverage OSINT-derived information. 5) Maintain up-to-date endpoint protection solutions capable of detecting and blocking known malware payloads associated with these IOCs. 6) Collaborate with threat intelligence sharing communities to stay informed about updates or new indicators related to this threat. These measures go beyond generic advice by emphasizing the operational integration of threat intelligence and proactive network monitoring tailored to the nature of the reported threat.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- url: http://871356.clmonth.nyashteam.top/nyashsupport.php
- domain: pleasetake.pictures
- file: 3.122.103.39
- hash: 4433
- file: 23.227.202.66
- hash: 443
- file: 185.48.86.75
- hash: 9000
- file: 185.48.86.75
- hash: 3002
- file: 185.48.86.75
- hash: 3301
- file: 185.48.86.75
- hash: 22222
- file: 49.234.152.199
- hash: 80
- file: 106.55.2.194
- hash: 2095
- url: http://82.146.34.244/pipe_bigloadgeneratorlocal.php
- file: 37.38.244.230
- hash: 1449
- url: http://193.47.61.99/cm
- file: 193.47.61.99
- hash: 80
- url: http://54.151.146.41/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- file: 54.151.146.41
- hash: 80
- url: http://101.33.125.241:4444/en_us/all.js
- file: 116.202.3.55
- hash: 28786
- file: 45.138.16.148
- hash: 5050
- file: 45.89.54.61
- hash: 80
- file: 49.12.203.54
- hash: 80
- file: 51.178.186.12
- hash: 80
- file: 64.190.113.112
- hash: 80
- file: 77.73.133.90
- hash: 80
- file: 79.137.206.22
- hash: 80
- file: 81.19.140.95
- hash: 80
- file: 88.119.170.121
- hash: 80
- file: 89.23.96.13
- hash: 80
- file: 91.240.84.153
- hash: 80
- file: 103.219.154.115
- hash: 80
- file: 130.0.234.116
- hash: 80
- file: 146.19.170.164
- hash: 80
- file: 146.70.101.78
- hash: 80
- file: 146.70.104.186
- hash: 80
- file: 162.55.37.54
- hash: 80
- file: 185.181.10.208
- hash: 80
- file: 195.133.40.9
- hash: 80
- file: 212.118.36.51
- hash: 80
- url: http://windowsign.theworkpc.com/pollbigloaddefaultdbbase.php
- file: 82.115.223.77
- hash: 8081
- file: 85.192.63.77
- hash: 8081
- file: 89.23.97.58
- hash: 8081
- file: 157.90.232.2
- hash: 8081
- url: http://158447.clmonth.nyashteam.top/nyashsupport.php
- hash: 381134ea0f0be535b9d2ce8a94093576
- url: http://42.224.213.130:35049/mozi.m
- file: 217.64.127.195
- hash: 52651
- file: 220.135.222.186
- hash: 8080
- file: 58.177.98.79
- hash: 8080
- file: 94.10.67.162
- hash: 8080
- file: 118.167.131.52
- hash: 8080
- file: 118.167.144.103
- hash: 8080
- file: 218.221.150.148
- hash: 8080
- file: 61.68.74.170
- hash: 8080
- file: 10.5.247.128
- hash: 52651
- file: 212.22.77.79
- hash: 80
- file: 195.2.78.146
- hash: 80
- url: http://185.246.90.205/libsystem.so
- url: http://185.246.90.205/curl-amd64
- url: http://185.246.90.205/kinsing
- file: 185.246.90.205
- hash: 80
- file: 45.138.16.40
- hash: 4782
- url: http://172.81.180.176/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://79.137.207.152/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://94.131.98.88/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://157.254.195.56/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://77.73.134.36/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://130.0.234.116/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://146.70.86.253/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://45.15.156.120/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://45.61.139.2/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- url: http://167.235.29.56/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll
- file: 185.87.48.183
- hash: 80
- file: 79.137.207.152
- hash: 80
- url: http://142.132.168.13/821
- url: http://142.132.168.13/27
- url: http://142.132.168.13/588
- url: http://116.202.7.135/817
- url: http://142.132.168.13/670
- url: http://142.132.168.13/811
- url: http://116.202.7.135/762
- url: http://142.132.168.13/683
- url: http://78.46.148.93/19
- url: http://142.132.168.13/560
- url: http://65.109.164.83/661
- file: 185.222.58.68
- hash: 7777
- url: https://doyiduzu.com/fabricate/privacypolicy/58u2fpavh92u
- domain: doyiduzu.com
- url: https://23.108.57.74/fabricate/privacypolicy/58u2fpavh92u
- file: 23.108.57.74
- hash: 443
- url: http://147.78.47.131/push
- file: 79.137.202.45
- hash: 80
- file: 79.137.202.45
- hash: 443
- url: https://allowedcloud.com/ur.html
- domain: allowedcloud.com
- url: http://91.213.50.75/__utm.gif
- hash: 5c7fb0927db37372da25f270708103a2
- url: http://91.213.50.75:8010/ptj
- url: http://allowedcloud.com/ee
- file: 23.227.202.66
- hash: 80
- url: https://redirect.frontlinepay.us/fwlink
- domain: redirect.frontlinepay.us
- file: 20.9.56.158
- hash: 443
- hash: 69c8f26359a2f91a60c66023180491f7
- url: https://svchost20230103.ddnsfree.com/dynu-3.3.1.min.js
- domain: svchost20230103.ddnsfree.com
- file: 24.199.120.37
- hash: 443
- file: 157.90.232.2
- hash: 80
- file: 89.23.97.58
- hash: 80
- file: 85.192.63.77
- hash: 80
- url: http://cs.newbird.cf/updates.rss
- domain: cs.newbird.cf
- file: 185.146.88.243
- hash: 2404
- hash: 1dba6023c933a8d7a9a6623c158bc4b7
- file: 37.0.14.207
- hash: 2404
- url: http://navylin.com/autopoisonous/4fzqw/
- url: http://asrani.garudaputih.com/nutabalong/bjyqouir99qnfopdx/
- url: http://db.rikaz.tech/lcx76ilkrbtesqnfa7/zpyjzponzstnoirhob/
- file: 10.9.0.26
- hash: 10929
- file: 45.139.105.174
- hash: 10929
- file: 101.42.46.117
- hash: 80
- file: 157.245.102.164
- hash: 443
- file: 173.82.196.58
- hash: 443
- file: 103.45.143.169
- hash: 80
- file: 47.113.224.80
- hash: 80
- file: 193.111.248.239
- hash: 10134
- hash: cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb
- hash: 2c6f8842494083e7ff70f648a116c74a22a470e7fab297cded5927f555a7fc6e
- url: http://5.75.182.6/
- file: 78.47.172.233
- hash: 80
- url: http://83.97.20.139/
- url: http://78.47.172.233:80
- file: 194.5.212.164
- hash: 3368
- domain: acordadeumavez.mom
- domain: aesulluzetecnologia.hair
- domain: anonovovidanova.mom
- domain: nemtusabeoqquer.skin
- domain: olhaaiquetendel.mom
- domain: omaigod.skin
- domain: sejaumapessoaboa.hair
- domain: semmaldade.mom
- domain: teligameu.hair
- domain: tudopassa.skin
- domain: vamocaralho.skin
- url: https://1.15.247.249:8088/ie9compatviewlist.xml
- file: 107.189.10.180
- hash: 3778
- file: 108.62.118.219
- hash: 443
- file: 49.12.113.110
- hash: 80
- url: http://49.12.113.110/408
- url: http://49.12.113.110/682
- url: http://142.132.168.13/408
- url: http://49.12.113.110/583
- url: http://49.12.113.110/762
- url: http://49.12.113.110/26
- url: http://78.46.148.93/736
- url: http://116.202.7.135/583
- url: http://5.75.203.81/698
- url: http://49.12.113.110/767
- url: http://49.12.113.110/494
- url: http://78.46.148.93/756
- url: http://49.12.113.110/817
- url: http://49.12.113.110/24
- url: http://142.132.168.13/24
- url: http://49.12.113.110/802
- url: http://49.12.113.110/724
- file: 65.21.237.20
- hash: 43077
- url: https://103.131.189.217/hpimagearchive.aspx
- file: 103.131.189.217
- hash: 443
- file: 37.130.119.233
- hash: 40294
- file: 91.238.50.101
- hash: 443
- file: 5.75.145.16
- hash: 37638
- file: 82.115.223.46
- hash: 57672
- file: 82.115.223.138
- hash: 35316
- domain: searchme.top
- domain: spicymeat.top
- url: http://37.220.87.38/
- url: http://94.131.107.176/
- url: http://37.220.87.38/700baf032ce70b3e36bb09314071637a
- url: http://freashalbany.site11.com/gate.php
- domain: sncrack.xyz
- domain: alphasoft.pro
- domain: whitecracks.com
- domain: sakurasoft.pro
- domain: ytsoftware.info
- domain: milkagames.info
- domain: softview.site
- domain: heroncloud.art
- domain: creativespirit.me
- domain: side-soft.com
- domain: tensoft.online
- domain: tensoft.best
- domain: cloudsoft.club
- domain: markjulianlerner.com
- domain: josephthomaskurzeja.com
- file: 103.37.86.14
- hash: 443
- file: 46.176.173.2
- hash: 995
- file: 80.121.53.116
- hash: 443
- file: 85.74.155.45
- hash: 2222
- file: 178.142.122.255
- hash: 443
- file: 82.15.58.109
- hash: 2222
- file: 102.158.90.125
- hash: 443
- file: 47.16.66.61
- hash: 2222
- file: 87.223.93.233
- hash: 443
- file: 105.68.197.223
- hash: 995
- file: 90.75.188.155
- hash: 2222
- url: http://47.102.110.41:7766/fwlink
- file: 93.56.127.246
- hash: 5552
- url: http://49.12.113.110/641
- url: http://142.132.168.13/724
- file: 45.14.165.18
- hash: 44810
- file: 18.197.239.109
- hash: 18280
- file: 3.69.157.220
- hash: 18280
- file: 179.43.154.136
- hash: 60195
- file: 3.69.115.178
- hash: 18280
ThreatFox IOCs for 2023-01-11
Description
ThreatFox IOCs for 2023-01-11
AI-Powered Analysis
Technical Analysis
The provided threat information pertains to a set of Indicators of Compromise (IOCs) published on January 11, 2023, by ThreatFox, a platform known for sharing threat intelligence data. The threat is categorized as malware-related, specifically focusing on OSINT (Open Source Intelligence), network activity, and payload delivery. However, the details are limited, with no affected software versions, no known exploits in the wild, and no patches available. The threat level is rated as medium, with a threat level score of 2 on an unspecified scale, indicating a moderate concern. The absence of specific technical indicators or detailed malware behavior suggests this is a collection or report of IOCs rather than a newly discovered malware strain or vulnerability. The primary purpose appears to be the dissemination of intelligence related to network activity and payload delivery mechanisms, which could be used by defenders to detect or mitigate ongoing or future attacks. The lack of CWE identifiers and the absence of patch information imply that this is not a vulnerability in software but rather a threat intelligence update about malware activity patterns or infrastructure. The threat does not require authentication or user interaction for exploitation, as it relates to network activity and payload delivery, but without explicit exploitation details, the exact attack vector remains unclear. Overall, this threat intelligence update serves as a resource for security teams to enhance detection capabilities rather than indicating an immediate, exploitable vulnerability or active widespread attack campaign.
Potential Impact
For European organizations, the impact of this threat is primarily related to the potential for increased exposure to malware delivery and network-based attacks. Since the threat involves OSINT and payload delivery, it could facilitate targeted attacks that leverage publicly available information to craft more effective phishing campaigns or network intrusions. The medium severity rating suggests that while the threat is not currently causing widespread disruption, it could enable attackers to compromise systems, leading to potential data breaches, service interruptions, or unauthorized access. Organizations that rely heavily on networked infrastructure and have limited visibility into network traffic may be more vulnerable. Additionally, sectors with high-value data or critical infrastructure could face elevated risks if threat actors use these IOCs to tailor attacks. However, the absence of known exploits in the wild and lack of patchable vulnerabilities reduces the immediate risk of large-scale exploitation. The main concern is the potential for these IOCs to inform future attacks, making proactive detection and response capabilities essential.
Mitigation Recommendations
Given the nature of this threat as an OSINT and network activity-related malware indicator set, European organizations should focus on enhancing their threat detection and response mechanisms. Specific recommendations include: 1) Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and Intrusion Detection/Prevention Systems (IDS/IPS) to improve detection of related network activity and payload delivery attempts. 2) Conduct regular network traffic analysis to identify anomalous patterns that may correspond to the reported IOCs, focusing on unusual outbound connections or payload transfers. 3) Employ threat hunting exercises using the IOCs to proactively identify potential compromises or reconnaissance activities within the network. 4) Enhance employee awareness training about phishing and social engineering tactics that may leverage OSINT-derived information. 5) Maintain up-to-date endpoint protection solutions capable of detecting and blocking known malware payloads associated with these IOCs. 6) Collaborate with threat intelligence sharing communities to stay informed about updates or new indicators related to this threat. These measures go beyond generic advice by emphasizing the operational integration of threat intelligence and proactive network monitoring tailored to the nature of the reported threat.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- fc6f1dc1-1a0a-461a-b61d-853a3a6849df
- Original Timestamp
- 1673481783
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://871356.clmonth.nyashteam.top/nyashsupport.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://82.146.34.244/pipe_bigloadgeneratorlocal.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://193.47.61.99/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://54.151.146.41/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.33.125.241:4444/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://windowsign.theworkpc.com/pollbigloaddefaultdbbase.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://158447.clmonth.nyashteam.top/nyashsupport.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://42.224.213.130:35049/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://185.246.90.205/libsystem.so | Kinsing payload delivery URL (confidence level: 100%) | |
urlhttp://185.246.90.205/curl-amd64 | Kinsing payload delivery URL (confidence level: 100%) | |
urlhttp://185.246.90.205/kinsing | Kinsing payload delivery URL (confidence level: 100%) | |
urlhttp://172.81.180.176/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://79.137.207.152/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://94.131.98.88/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://157.254.195.56/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://77.73.134.36/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://130.0.234.116/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://146.70.86.253/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://45.15.156.120/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://45.61.139.2/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://167.235.29.56/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/821 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/27 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/588 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.7.135/817 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/670 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/811 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.7.135/762 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/683 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://78.46.148.93/19 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/560 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://65.109.164.83/661 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://doyiduzu.com/fabricate/privacypolicy/58u2fpavh92u | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://23.108.57.74/fabricate/privacypolicy/58u2fpavh92u | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://147.78.47.131/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://allowedcloud.com/ur.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://91.213.50.75/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://91.213.50.75:8010/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://allowedcloud.com/ee | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://redirect.frontlinepay.us/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://svchost20230103.ddnsfree.com/dynu-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://cs.newbird.cf/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://navylin.com/autopoisonous/4fzqw/ | Emotet payload delivery URL (confidence level: 100%) | |
urlhttp://asrani.garudaputih.com/nutabalong/bjyqouir99qnfopdx/ | Emotet payload delivery URL (confidence level: 100%) | |
urlhttp://db.rikaz.tech/lcx76ilkrbtesqnfa7/zpyjzponzstnoirhob/ | Emotet payload delivery URL (confidence level: 100%) | |
urlhttp://5.75.182.6/ | Arkei Stealer botnet C2 (confidence level: 100%) | |
urlhttp://83.97.20.139/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://78.47.172.233:80 | Vidar botnet C2 (confidence level: 50%) | |
urlhttps://1.15.247.249:8088/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/408 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/682 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/408 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/583 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/762 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/26 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://78.46.148.93/736 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.7.135/583 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://5.75.203.81/698 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/767 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/494 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://78.46.148.93/756 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/817 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/24 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/24 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/802 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/724 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://103.131.189.217/hpimagearchive.aspx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://37.220.87.38/ | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://94.131.107.176/ | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://37.220.87.38/700baf032ce70b3e36bb09314071637a | Raccoon botnet C2 (confidence level: 100%) | |
urlhttp://freashalbany.site11.com/gate.php | Pony botnet C2 (confidence level: 100%) | |
urlhttp://47.102.110.41:7766/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://49.12.113.110/641 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.168.13/724 | Vidar botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainpleasetake.pictures | Amadey botnet C2 domain (confidence level: 50%) | |
domaindoyiduzu.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainallowedcloud.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainredirect.frontlinepay.us | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainsvchost20230103.ddnsfree.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincs.newbird.cf | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainacordadeumavez.mom | Astaroth botnet C2 domain (confidence level: 100%) | |
domainaesulluzetecnologia.hair | Astaroth botnet C2 domain (confidence level: 100%) | |
domainanonovovidanova.mom | Astaroth botnet C2 domain (confidence level: 100%) | |
domainnemtusabeoqquer.skin | Astaroth botnet C2 domain (confidence level: 100%) | |
domainolhaaiquetendel.mom | Astaroth botnet C2 domain (confidence level: 100%) | |
domainomaigod.skin | Astaroth botnet C2 domain (confidence level: 100%) | |
domainsejaumapessoaboa.hair | Astaroth botnet C2 domain (confidence level: 100%) | |
domainsemmaldade.mom | Astaroth botnet C2 domain (confidence level: 100%) | |
domainteligameu.hair | Astaroth botnet C2 domain (confidence level: 100%) | |
domaintudopassa.skin | Astaroth botnet C2 domain (confidence level: 100%) | |
domainvamocaralho.skin | Astaroth payload delivery domain (confidence level: 100%) | |
domainsearchme.top | RedLine Stealer botnet C2 domain (confidence level: 100%) | |
domainspicymeat.top | RedLine Stealer botnet C2 domain (confidence level: 100%) | |
domainsncrack.xyz | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainalphasoft.pro | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainwhitecracks.com | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainsakurasoft.pro | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainytsoftware.info | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainmilkagames.info | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainsoftview.site | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainheroncloud.art | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domaincreativespirit.me | RedLine Stealer payload delivery domain (confidence level: 75%) | |
domainside-soft.com | Raccoon payload delivery domain (confidence level: 75%) | |
domaintensoft.online | Raccoon payload delivery domain (confidence level: 75%) | |
domaintensoft.best | Raccoon payload delivery domain (confidence level: 75%) | |
domaincloudsoft.club | Vidar payload delivery domain (confidence level: 75%) | |
domainmarkjulianlerner.com | LaplasClipper payload delivery domain (confidence level: 75%) | |
domainjosephthomaskurzeja.com | LaplasClipper payload delivery domain (confidence level: 75%) |
File
| Value | Description | Copy |
|---|---|---|
file3.122.103.39 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file23.227.202.66 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file185.48.86.75 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file185.48.86.75 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file185.48.86.75 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file185.48.86.75 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file49.234.152.199 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file106.55.2.194 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file37.38.244.230 | NjRAT botnet C2 server (confidence level: 100%) | |
file193.47.61.99 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file54.151.146.41 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file116.202.3.55 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file45.138.16.148 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file45.89.54.61 | Raccoon botnet C2 server (confidence level: 100%) | |
file49.12.203.54 | Raccoon botnet C2 server (confidence level: 100%) | |
file51.178.186.12 | Raccoon botnet C2 server (confidence level: 100%) | |
file64.190.113.112 | Raccoon botnet C2 server (confidence level: 100%) | |
file77.73.133.90 | Raccoon botnet C2 server (confidence level: 100%) | |
file79.137.206.22 | Raccoon botnet C2 server (confidence level: 100%) | |
file81.19.140.95 | Raccoon botnet C2 server (confidence level: 100%) | |
file88.119.170.121 | Raccoon botnet C2 server (confidence level: 100%) | |
file89.23.96.13 | Raccoon botnet C2 server (confidence level: 100%) | |
file91.240.84.153 | Raccoon botnet C2 server (confidence level: 100%) | |
file103.219.154.115 | Raccoon botnet C2 server (confidence level: 100%) | |
file130.0.234.116 | Raccoon botnet C2 server (confidence level: 100%) | |
file146.19.170.164 | Raccoon botnet C2 server (confidence level: 100%) | |
file146.70.101.78 | Raccoon botnet C2 server (confidence level: 100%) | |
file146.70.104.186 | Raccoon botnet C2 server (confidence level: 100%) | |
file162.55.37.54 | Raccoon botnet C2 server (confidence level: 100%) | |
file185.181.10.208 | Raccoon botnet C2 server (confidence level: 100%) | |
file195.133.40.9 | Raccoon botnet C2 server (confidence level: 100%) | |
file212.118.36.51 | Raccoon botnet C2 server (confidence level: 100%) | |
file82.115.223.77 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
file85.192.63.77 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
file89.23.97.58 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
file157.90.232.2 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
file217.64.127.195 | Remcos botnet C2 server (confidence level: 100%) | |
file220.135.222.186 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file58.177.98.79 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file94.10.67.162 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file118.167.131.52 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file118.167.144.103 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file218.221.150.148 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file61.68.74.170 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
file10.5.247.128 | Remcos botnet C2 server (confidence level: 75%) | |
file212.22.77.79 | Kinsing botnet C2 server (confidence level: 75%) | |
file195.2.78.146 | Kinsing botnet C2 server (confidence level: 75%) | |
file185.246.90.205 | Kinsing payload delivery server (confidence level: 75%) | |
file45.138.16.40 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file185.87.48.183 | Kinsing botnet C2 server (confidence level: 75%) | |
file79.137.207.152 | Raccoon botnet C2 server (confidence level: 100%) | |
file185.222.58.68 | STRRAT botnet C2 server (confidence level: 100%) | |
file23.108.57.74 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file79.137.202.45 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file79.137.202.45 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.227.202.66 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file20.9.56.158 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file24.199.120.37 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file157.90.232.2 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
file89.23.97.58 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
file85.192.63.77 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
file185.146.88.243 | Remcos botnet C2 server (confidence level: 75%) | |
file37.0.14.207 | Remcos botnet C2 server (confidence level: 100%) | |
file10.9.0.26 | Remcos botnet C2 server (confidence level: 75%) | |
file45.139.105.174 | Remcos botnet C2 server (confidence level: 75%) | |
file101.42.46.117 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file157.245.102.164 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file173.82.196.58 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file103.45.143.169 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file47.113.224.80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file193.111.248.239 | Orcus RAT botnet C2 server (confidence level: 100%) | |
file78.47.172.233 | Vidar botnet C2 server (confidence level: 50%) | |
file194.5.212.164 | NetWire RC botnet C2 server (confidence level: 100%) | |
file107.189.10.180 | Mirai botnet C2 server (confidence level: 75%) | |
file108.62.118.219 | BumbleBee botnet C2 server (confidence level: 75%) | |
file49.12.113.110 | Vidar botnet C2 server (confidence level: 100%) | |
file65.21.237.20 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file103.131.189.217 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file37.130.119.233 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file91.238.50.101 | IcedID botnet C2 server (confidence level: 75%) | |
file5.75.145.16 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file82.115.223.46 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file82.115.223.138 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file103.37.86.14 | QakBot botnet C2 server (confidence level: 100%) | |
file46.176.173.2 | QakBot botnet C2 server (confidence level: 100%) | |
file80.121.53.116 | QakBot botnet C2 server (confidence level: 100%) | |
file85.74.155.45 | QakBot botnet C2 server (confidence level: 100%) | |
file178.142.122.255 | QakBot botnet C2 server (confidence level: 100%) | |
file82.15.58.109 | QakBot botnet C2 server (confidence level: 100%) | |
file102.158.90.125 | QakBot botnet C2 server (confidence level: 100%) | |
file47.16.66.61 | QakBot botnet C2 server (confidence level: 100%) | |
file87.223.93.233 | QakBot botnet C2 server (confidence level: 100%) | |
file105.68.197.223 | QakBot botnet C2 server (confidence level: 100%) | |
file90.75.188.155 | QakBot botnet C2 server (confidence level: 100%) | |
file93.56.127.246 | NjRAT botnet C2 server (confidence level: 100%) | |
file45.14.165.18 | N-W0rm botnet C2 server (confidence level: 100%) | |
file18.197.239.109 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.69.157.220 | NjRAT botnet C2 server (confidence level: 100%) | |
file179.43.154.136 | Mirai botnet C2 server (confidence level: 75%) | |
file3.69.115.178 | NjRAT botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash4433 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash9000 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash3002 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash3301 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash22222 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash2095 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash1449 | NjRAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash28786 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash5050 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
hash8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
hash8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
hash8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
hash381134ea0f0be535b9d2ce8a94093576 | CryCryptor payload (confidence level: 50%) | |
hash52651 | Remcos botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash8080 | Raspberry Robin botnet C2 server (confidence level: 100%) | |
hash52651 | Remcos botnet C2 server (confidence level: 75%) | |
hash80 | Kinsing botnet C2 server (confidence level: 75%) | |
hash80 | Kinsing botnet C2 server (confidence level: 75%) | |
hash80 | Kinsing payload delivery server (confidence level: 75%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Kinsing botnet C2 server (confidence level: 75%) | |
hash80 | Raccoon botnet C2 server (confidence level: 100%) | |
hash7777 | STRRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash5c7fb0927db37372da25f270708103a2 | WannaCryptor payload (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash69c8f26359a2f91a60c66023180491f7 | Xloader payload (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
hash80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
hash80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
hash2404 | Remcos botnet C2 server (confidence level: 75%) | |
hash1dba6023c933a8d7a9a6623c158bc4b7 | Gozi payload (confidence level: 50%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash10929 | Remcos botnet C2 server (confidence level: 75%) | |
hash10929 | Remcos botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash10134 | Orcus RAT botnet C2 server (confidence level: 100%) | |
hashcb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb | Gozi payload (confidence level: 50%) | |
hash2c6f8842494083e7ff70f648a116c74a22a470e7fab297cded5927f555a7fc6e | DCRat payload (confidence level: 50%) | |
hash80 | Vidar botnet C2 server (confidence level: 50%) | |
hash3368 | NetWire RC botnet C2 server (confidence level: 100%) | |
hash3778 | Mirai botnet C2 server (confidence level: 75%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash43077 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash40294 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | IcedID botnet C2 server (confidence level: 75%) | |
hash37638 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash57672 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash35316 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash995 | QakBot botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash2222 | QakBot botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash2222 | QakBot botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash2222 | QakBot botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash995 | QakBot botnet C2 server (confidence level: 100%) | |
hash2222 | QakBot botnet C2 server (confidence level: 100%) | |
hash5552 | NjRAT botnet C2 server (confidence level: 100%) | |
hash44810 | N-W0rm botnet C2 server (confidence level: 100%) | |
hash18280 | NjRAT botnet C2 server (confidence level: 100%) | |
hash18280 | NjRAT botnet C2 server (confidence level: 100%) | |
hash60195 | Mirai botnet C2 server (confidence level: 75%) | |
hash18280 | NjRAT botnet C2 server (confidence level: 100%) |
Threat ID: 682acdc3bbaf20d303f1d940
Added to database: 5/19/2025, 6:20:51 AM
Last enriched: 6/18/2025, 8:50:15 AM
Last updated: 8/17/2025, 3:37:59 AM
Views: 11
Related Threats
ThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
Medium'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.