ThreatFox IOCs for 2023-02-26
ThreatFox IOCs for 2023-02-26
AI Analysis
Technical Summary
The provided threat intelligence relates to a collection of Indicators of Compromise (IOCs) published by ThreatFox on February 26, 2023, under the category of malware. The data is classified as OSINT (Open Source Intelligence) and is tagged with TLP:WHITE, indicating it is intended for wide distribution without restrictions. The threat is characterized by a medium severity level, with no specific affected software versions or products identified, and no known exploits currently active in the wild. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination or availability of the IOCs. However, the absence of concrete technical indicators, such as malware family names, attack vectors, or exploit mechanisms, limits the depth of technical analysis. The threat appears to be a general malware-related intelligence update rather than a targeted or novel exploit. The lack of CWE identifiers and patch links further indicates that this is an informational release of IOCs rather than a vulnerability advisory. Overall, this intelligence serves as a resource for security teams to update detection capabilities and monitor for related malicious activity, but does not describe a specific active threat campaign or exploit method.
Potential Impact
For European organizations, the impact of this threat is primarily related to the potential use of the provided IOCs to detect and mitigate malware infections. Since no specific malware strain or exploit is detailed, the direct impact is limited to enhancing situational awareness and improving detection capabilities. Organizations that integrate these IOCs into their security monitoring tools may better identify malicious activity early, reducing the risk of data breaches, system compromise, or operational disruption. However, without active exploits or targeted campaigns, the immediate risk to confidentiality, integrity, or availability is low to medium. The broad nature of the IOCs means they could be relevant across multiple sectors, including critical infrastructure, finance, and government, where malware infections can have cascading effects. The medium severity rating suggests that while the threat is not urgent, it should not be ignored, especially in environments with high exposure to malware threats or where OSINT feeds are a key component of threat intelligence programs.
Mitigation Recommendations
European organizations should incorporate the provided IOCs into their existing security information and event management (SIEM) systems, endpoint detection and response (EDR) tools, and network intrusion detection systems (NIDS) to enhance detection capabilities. Specifically, security teams should: 1) Regularly update threat intelligence feeds to include the latest IOCs from ThreatFox and similar OSINT sources. 2) Correlate these IOCs with internal logs to identify any signs of compromise or suspicious activity. 3) Conduct targeted threat hunting exercises using the IOCs to proactively detect latent infections. 4) Ensure that endpoint protection platforms are configured to recognize and block malware signatures related to these IOCs. 5) Train security analysts to interpret OSINT-derived IOCs critically, understanding their context and limitations. 6) Maintain robust incident response plans that can quickly leverage new intelligence to contain and remediate infections. 7) Since no patches or specific vulnerabilities are indicated, focus on general malware defense best practices such as application whitelisting, network segmentation, and least privilege access controls. These steps go beyond generic advice by emphasizing integration and operationalization of OSINT IOCs within existing security workflows.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- file: 209.25.140.180
- hash: 10569
- file: 194.87.151.116
- hash: 3778
- file: 209.25.141.180
- hash: 10569
- file: 179.43.156.149
- hash: 60195
- file: 78.153.130.36
- hash: 60195
- file: 173.255.195.147
- hash: 38241
- file: 212.87.204.161
- hash: 9560
- file: 194.87.46.87
- hash: 4433
- file: 124.221.144.169
- hash: 443
- file: 138.197.148.29
- hash: 4433
- file: 1.15.120.10
- hash: 7778
- file: 91.240.118.218
- hash: 8094
- file: 139.180.194.27
- hash: 80
- url: http://windowsign.theworkpc.com/gamecdn.php
- url: http://142.11.205.63/ptj
- file: 142.11.205.63
- hash: 80
- file: 103.186.147.155
- hash: 23382
- file: 109.206.240.137
- hash: 3074
- file: 172.94.64.70
- hash: 6606
- url: http://194.15.216.30/bot/regex
- file: 198.12.70.38
- hash: 56999
- url: http://xvnmyi.ht5wy2lga.site/dashboard
- url: http://xvnmyi.ht5wy2lga.site/security
- domain: xvnmyi.ht5wy2lga.site
- url: http://haivo.co.zw/admin/linerequestgeosql.php
- url: http://37.220.87.66/
- file: 35.157.43.44
- hash: 8000
- file: 76.74.127.146
- hash: 443
- file: 103.109.100.222
- hash: 80
- file: 146.70.158.169
- hash: 9900
- file: 173.232.2.41
- hash: 80
- file: 173.232.2.41
- hash: 443
- file: 173.232.2.41
- hash: 8000
- file: 173.232.2.41
- hash: 8443
- file: 207.246.68.214
- hash: 443
- file: 216.238.72.107
- hash: 80
- domain: mirailovers.pw
- domain: hihi.mirailovers.pw
- url: http://ewzsvl72.top/gate.php
- file: 18.197.239.5
- hash: 15768
- file: 18.192.93.86
- hash: 15768
- file: 3.127.138.57
- hash: 15768
- domain: svcshosvt.com
- domain: ponzinivek.com
- domain: ruplearben.com
- domain: talonbilling.com
- domain: gorillagaz.com
- domain: chanimoblie.com
- url: http://45.159.189.105/bot/regex?key=e1833dcb76f0a51a7b0032c5e4e935cc980d513fbeb93b892018bd0048583197
- file: 94.142.138.71
- hash: 8081
- file: 185.216.71.65
- hash: 38241
- file: 45.92.1.24
- hash: 5001
- url: https://190.123.44.137:4433/increase
- file: 212.118.54.138
- hash: 4433
- url: https://jquerysslx.com/jquery-3.3.1.min.js
- file: 109.206.240.216
- hash: 443
- file: 84.38.180.69
- hash: 443
- url: https://qw.kbnexc.com/search
- domain: qw.kbnexc.com
- url: https://as.kbnexc.com/an
- domain: as.kbnexc.com
- url: https://zx.kbnexc.com/an
- domain: zx.kbnexc.com
- file: 146.70.161.122
- hash: 443
- url: http://47.122.22.26/fwlink
- file: 47.122.22.26
- hash: 80
- file: 84.54.50.170
- hash: 23
- file: 46.3.197.29
- hash: 1337
- file: 51.77.78.35
- hash: 6606
- file: 51.77.78.35
- hash: 6666
- file: 51.77.78.35
- hash: 7707
- file: 51.77.78.35
- hash: 8808
- url: http://sempersim.su/ha18/fre.php
- url: https://sempersim.su/ha18/fre.php
- url: https://s173.minrosoftupdate.com/jquery-3.3.1.min.js
- url: https://winlog03.micnosoftupdates.com/jquery-3.3.1.min.js
- url: http://185.174.137.94/bot/regex
- file: 64.226.72.109
- hash: 5555
- url: http://101.37.33.153:87/fwlink
- url: http://43.142.185.126:6789/dot.gif
- file: 94.142.138.71
- hash: 80
- url: http://80.66.88.127/j.ad
- url: https://124.221.144.169/pixel.gif
- url: https://lugociyah.com/inform/servlets/xomb26p0rj
- domain: lugociyah.com
- url: https://108.62.118.180/inform/servlets/xomb26p0rj
- file: 108.62.118.180
- hash: 443
- url: http://8.142.124.166:8090/ca
- file: 3.141.142.211
- hash: 14111
- file: 3.141.210.37
- hash: 14111
- file: 18.189.106.45
- hash: 14111
- file: 3.141.177.1
- hash: 14111
- file: 3.132.159.158
- hash: 14111
- file: 3.140.223.7
- hash: 14111
- file: 77.73.134.13
- hash: 12785
- url: http://77.73.134.82/
- file: 116.202.185.129
- hash: 80
- file: 88.198.108.245
- hash: 80
- url: http://116.203.1.203/15
- url: http://23.88.36.149/736
- url: http://116.202.185.129/
- url: http://88.198.108.245/
- file: 1.13.168.66
- hash: 80
- file: 139.9.190.31
- hash: 9988
- file: 35.183.12.60
- hash: 4433
- file: 124.221.66.75
- hash: 60001
- file: 116.62.231.188
- hash: 443
- file: 81.69.221.247
- hash: 8443
- file: 193.47.61.75
- hash: 5034
- file: 193.233.20.23
- hash: 4123
- file: 103.161.181.149
- hash: 56999
- file: 18.192.31.165
- hash: 18468
- file: 45.148.116.40
- hash: 23382
- file: 3.125.209.94
- hash: 18468
- file: 3.124.142.205
- hash: 18468
- file: 3.125.102.39
- hash: 18468
- file: 209.25.142.180
- hash: 10569
- url: https://43.138.127.159/match
- url: http://1.116.160.60/push
- file: 212.86.115.167
- hash: 80
- url: http://107.148.149.21/visit.js
- url: https://zx.kbnexc.com/ee
- file: 143.198.217.16
- hash: 56999
- file: 179.43.154.193
- hash: 1337
- file: 44.211.101.170
- hash: 10003
- file: 49.232.136.115
- hash: 8090
- file: 193.149.185.51
- hash: 31337
- file: 193.149.185.51
- hash: 8888
- file: 35.92.109.135
- hash: 7443
- file: 45.148.120.192
- hash: 17443
- file: 185.187.169.34
- hash: 7443
- url: http://139.196.47.225:809/ptj
- file: 35.157.43.44
- hash: 80
- file: 41.199.178.166
- hash: 8888
- file: 66.85.156.83
- hash: 80
- file: 66.85.156.83
- hash: 8000
- file: 66.85.156.83
- hash: 8080
- file: 66.85.156.83
- hash: 8443
- file: 103.109.100.222
- hash: 443
- file: 173.232.2.41
- hash: 8080
- url: http://91.215.85.213/4f230c0dd4efa481.php
- url: http://94.131.8.103/activity
- file: 94.131.8.103
- hash: 80
- url: https://vnssinc.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- file: 91.213.50.95
- hash: 443
- url: http://service-nwe3sk3y-1303130145.gz.apigw.tencentcs.com/ptj
- domain: service-nwe3sk3y-1303130145.gz.apigw.tencentcs.com
- file: 119.91.77.189
- hash: 80
- url: http://45.140.88.85:8088/g.pixel
- url: https://103.67.191.89:8443/visit.js
- url: http://179.43.156.134:8081/hubcap/mayo-clinic-radio-full-shows/
- url: https://107.173.251.222:58443/api/info
- url: http://154.64.224.130:8088/j.ad
- file: 103.167.54.249
- hash: 443
- url: https://20.89.23.164/zomgapt
- file: 20.89.23.164
- hash: 443
- url: https://98.142.143.85/cm
- file: 98.142.143.85
- hash: 443
- url: http://44.198.164.69/dpixel
- file: 185.246.220.83
- hash: 7833
- url: https://82.157.75.169/pixel
- file: 91.109.178.13
- hash: 7707
- file: 5.181.80.115
- hash: 1312
- file: 91.109.178.13
- hash: 6606
- url: http://150.158.11.76/pixel
- url: http://150.158.11.76:8080/dot.gif
- url: http://118.31.76.240:7999/push
- url: http://80.87.192.227/7/_8generator/imageexternalgame3/5/08protect8/default/eternalmultiwp/image6/voiddbtemp0/external6/_dlegeneratorprivate/traffic68/private/videoservervoiddb/php83/universal2/universalhttppython/21/multiprocessor/eternalprotectwindowsflowerasync.php
- url: http://www.diaolu.live:8080/updates.rss
- domain: www.diaolu.live
- file: 119.91.77.189
- hash: 8080
- url: http://139.180.193.248:9000/jquery-3.3.1.min.js
- url: http://107.172.208.88:8080/match
- url: https://yifebuto.com/inquiry/issues/vlqlvst0pyx7
- domain: yifebuto.com
- url: https://23.108.57.239/inquiry/issues/vlqlvst0pyx7
- file: 23.108.57.239
- hash: 443
ThreatFox IOCs for 2023-02-26
Description
ThreatFox IOCs for 2023-02-26
AI-Powered Analysis
Technical Analysis
The provided threat intelligence relates to a collection of Indicators of Compromise (IOCs) published by ThreatFox on February 26, 2023, under the category of malware. The data is classified as OSINT (Open Source Intelligence) and is tagged with TLP:WHITE, indicating it is intended for wide distribution without restrictions. The threat is characterized by a medium severity level, with no specific affected software versions or products identified, and no known exploits currently active in the wild. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination or availability of the IOCs. However, the absence of concrete technical indicators, such as malware family names, attack vectors, or exploit mechanisms, limits the depth of technical analysis. The threat appears to be a general malware-related intelligence update rather than a targeted or novel exploit. The lack of CWE identifiers and patch links further indicates that this is an informational release of IOCs rather than a vulnerability advisory. Overall, this intelligence serves as a resource for security teams to update detection capabilities and monitor for related malicious activity, but does not describe a specific active threat campaign or exploit method.
Potential Impact
For European organizations, the impact of this threat is primarily related to the potential use of the provided IOCs to detect and mitigate malware infections. Since no specific malware strain or exploit is detailed, the direct impact is limited to enhancing situational awareness and improving detection capabilities. Organizations that integrate these IOCs into their security monitoring tools may better identify malicious activity early, reducing the risk of data breaches, system compromise, or operational disruption. However, without active exploits or targeted campaigns, the immediate risk to confidentiality, integrity, or availability is low to medium. The broad nature of the IOCs means they could be relevant across multiple sectors, including critical infrastructure, finance, and government, where malware infections can have cascading effects. The medium severity rating suggests that while the threat is not urgent, it should not be ignored, especially in environments with high exposure to malware threats or where OSINT feeds are a key component of threat intelligence programs.
Mitigation Recommendations
European organizations should incorporate the provided IOCs into their existing security information and event management (SIEM) systems, endpoint detection and response (EDR) tools, and network intrusion detection systems (NIDS) to enhance detection capabilities. Specifically, security teams should: 1) Regularly update threat intelligence feeds to include the latest IOCs from ThreatFox and similar OSINT sources. 2) Correlate these IOCs with internal logs to identify any signs of compromise or suspicious activity. 3) Conduct targeted threat hunting exercises using the IOCs to proactively detect latent infections. 4) Ensure that endpoint protection platforms are configured to recognize and block malware signatures related to these IOCs. 5) Train security analysts to interpret OSINT-derived IOCs critically, understanding their context and limitations. 6) Maintain robust incident response plans that can quickly leverage new intelligence to contain and remediate infections. 7) Since no patches or specific vulnerabilities are indicated, focus on general malware defense best practices such as application whitelisting, network segmentation, and least privilege access controls. These steps go beyond generic advice by emphasizing integration and operationalization of OSINT IOCs within existing security workflows.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 0e431077-7550-4145-8254-3182151988c4
- Original Timestamp
- 1677456184
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file209.25.140.180 | Orcus RAT botnet C2 server (confidence level: 100%) | |
file194.87.151.116 | Mirai botnet C2 server (confidence level: 75%) | |
file209.25.141.180 | Orcus RAT botnet C2 server (confidence level: 100%) | |
file179.43.156.149 | Mirai botnet C2 server (confidence level: 75%) | |
file78.153.130.36 | Mirai botnet C2 server (confidence level: 75%) | |
file173.255.195.147 | Mirai botnet C2 server (confidence level: 75%) | |
file212.87.204.161 | Mirai botnet C2 server (confidence level: 75%) | |
file194.87.46.87 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file124.221.144.169 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file138.197.148.29 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file1.15.120.10 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file91.240.118.218 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file139.180.194.27 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file142.11.205.63 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.186.147.155 | Mirai botnet C2 server (confidence level: 75%) | |
file109.206.240.137 | Mirai botnet C2 server (confidence level: 75%) | |
file172.94.64.70 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file198.12.70.38 | Mirai botnet C2 server (confidence level: 75%) | |
file35.157.43.44 | BianLian botnet C2 server (confidence level: 50%) | |
file76.74.127.146 | BianLian botnet C2 server (confidence level: 50%) | |
file103.109.100.222 | BianLian botnet C2 server (confidence level: 50%) | |
file146.70.158.169 | BianLian botnet C2 server (confidence level: 50%) | |
file173.232.2.41 | BianLian botnet C2 server (confidence level: 50%) | |
file173.232.2.41 | BianLian botnet C2 server (confidence level: 50%) | |
file173.232.2.41 | BianLian botnet C2 server (confidence level: 50%) | |
file173.232.2.41 | BianLian botnet C2 server (confidence level: 50%) | |
file207.246.68.214 | BianLian botnet C2 server (confidence level: 50%) | |
file216.238.72.107 | BianLian botnet C2 server (confidence level: 50%) | |
file18.197.239.5 | NjRAT botnet C2 server (confidence level: 100%) | |
file18.192.93.86 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.127.138.57 | NjRAT botnet C2 server (confidence level: 100%) | |
file94.142.138.71 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
file185.216.71.65 | Mirai botnet C2 server (confidence level: 75%) | |
file45.92.1.24 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file212.118.54.138 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file109.206.240.216 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file84.38.180.69 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file146.70.161.122 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.122.22.26 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file84.54.50.170 | Bashlite botnet C2 server (confidence level: 75%) | |
file46.3.197.29 | Mirai botnet C2 server (confidence level: 75%) | |
file51.77.78.35 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file51.77.78.35 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file51.77.78.35 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file51.77.78.35 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file64.226.72.109 | Mirai botnet C2 server (confidence level: 75%) | |
file94.142.138.71 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
file108.62.118.180 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file3.141.142.211 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file3.141.210.37 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file18.189.106.45 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file3.141.177.1 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file3.132.159.158 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file3.140.223.7 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file77.73.134.13 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file116.202.185.129 | Vidar botnet C2 server (confidence level: 100%) | |
file88.198.108.245 | Vidar botnet C2 server (confidence level: 100%) | |
file1.13.168.66 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file139.9.190.31 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file35.183.12.60 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file124.221.66.75 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file116.62.231.188 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file81.69.221.247 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file193.47.61.75 | Mirai botnet C2 server (confidence level: 75%) | |
file193.233.20.23 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file103.161.181.149 | Mirai botnet C2 server (confidence level: 75%) | |
file18.192.31.165 | NjRAT botnet C2 server (confidence level: 100%) | |
file45.148.116.40 | Mirai botnet C2 server (confidence level: 75%) | |
file3.125.209.94 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.124.142.205 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.125.102.39 | NjRAT botnet C2 server (confidence level: 100%) | |
file209.25.142.180 | Orcus RAT botnet C2 server (confidence level: 100%) | |
file212.86.115.167 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file143.198.217.16 | Mirai botnet C2 server (confidence level: 75%) | |
file179.43.154.193 | Mirai botnet C2 server (confidence level: 75%) | |
file44.211.101.170 | Sliver botnet C2 server (confidence level: 50%) | |
file49.232.136.115 | Sliver botnet C2 server (confidence level: 50%) | |
file193.149.185.51 | Sliver botnet C2 server (confidence level: 50%) | |
file193.149.185.51 | Sliver botnet C2 server (confidence level: 50%) | |
file35.92.109.135 | Unknown malware botnet C2 server (confidence level: 50%) | |
file45.148.120.192 | Unknown malware botnet C2 server (confidence level: 50%) | |
file185.187.169.34 | Unknown malware botnet C2 server (confidence level: 50%) | |
file35.157.43.44 | BianLian botnet C2 server (confidence level: 50%) | |
file41.199.178.166 | BianLian botnet C2 server (confidence level: 50%) | |
file66.85.156.83 | BianLian botnet C2 server (confidence level: 50%) | |
file66.85.156.83 | BianLian botnet C2 server (confidence level: 50%) | |
file66.85.156.83 | BianLian botnet C2 server (confidence level: 50%) | |
file66.85.156.83 | BianLian botnet C2 server (confidence level: 50%) | |
file103.109.100.222 | BianLian botnet C2 server (confidence level: 50%) | |
file173.232.2.41 | BianLian botnet C2 server (confidence level: 50%) | |
file94.131.8.103 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file91.213.50.95 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file119.91.77.189 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.167.54.249 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file20.89.23.164 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file98.142.143.85 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.246.220.83 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file91.109.178.13 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file5.181.80.115 | Mirai botnet C2 server (confidence level: 75%) | |
file91.109.178.13 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file119.91.77.189 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.108.57.239 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash10569 | Orcus RAT botnet C2 server (confidence level: 100%) | |
hash3778 | Mirai botnet C2 server (confidence level: 75%) | |
hash10569 | Orcus RAT botnet C2 server (confidence level: 100%) | |
hash60195 | Mirai botnet C2 server (confidence level: 75%) | |
hash60195 | Mirai botnet C2 server (confidence level: 75%) | |
hash38241 | Mirai botnet C2 server (confidence level: 75%) | |
hash9560 | Mirai botnet C2 server (confidence level: 75%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash7778 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash8094 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash23382 | Mirai botnet C2 server (confidence level: 75%) | |
hash3074 | Mirai botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash56999 | Mirai botnet C2 server (confidence level: 75%) | |
hash8000 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash9900 | BianLian botnet C2 server (confidence level: 50%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash8000 | BianLian botnet C2 server (confidence level: 50%) | |
hash8443 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash15768 | NjRAT botnet C2 server (confidence level: 100%) | |
hash15768 | NjRAT botnet C2 server (confidence level: 100%) | |
hash15768 | NjRAT botnet C2 server (confidence level: 100%) | |
hash8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
hash38241 | Mirai botnet C2 server (confidence level: 75%) | |
hash5001 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash23 | Bashlite botnet C2 server (confidence level: 75%) | |
hash1337 | Mirai botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash6666 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash5555 | Mirai botnet C2 server (confidence level: 75%) | |
hash80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash14111 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash14111 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash14111 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash14111 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash14111 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash14111 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash12785 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash9988 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash60001 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash5034 | Mirai botnet C2 server (confidence level: 75%) | |
hash4123 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash56999 | Mirai botnet C2 server (confidence level: 75%) | |
hash18468 | NjRAT botnet C2 server (confidence level: 100%) | |
hash23382 | Mirai botnet C2 server (confidence level: 75%) | |
hash18468 | NjRAT botnet C2 server (confidence level: 100%) | |
hash18468 | NjRAT botnet C2 server (confidence level: 100%) | |
hash18468 | NjRAT botnet C2 server (confidence level: 100%) | |
hash10569 | Orcus RAT botnet C2 server (confidence level: 100%) | |
hash80 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash56999 | Mirai botnet C2 server (confidence level: 75%) | |
hash1337 | Mirai botnet C2 server (confidence level: 75%) | |
hash10003 | Sliver botnet C2 server (confidence level: 50%) | |
hash8090 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash8888 | Sliver botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash17443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash8888 | BianLian botnet C2 server (confidence level: 50%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash8000 | BianLian botnet C2 server (confidence level: 50%) | |
hash8080 | BianLian botnet C2 server (confidence level: 50%) | |
hash8443 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash8080 | BianLian botnet C2 server (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7833 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash1312 | Mirai botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://windowsign.theworkpc.com/gamecdn.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://142.11.205.63/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://194.15.216.30/bot/regex | LaplasClipper botnet C2 (confidence level: 100%) | |
urlhttp://xvnmyi.ht5wy2lga.site/dashboard | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://xvnmyi.ht5wy2lga.site/security | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://haivo.co.zw/admin/linerequestgeosql.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://37.220.87.66/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://ewzsvl72.top/gate.php | CryptBot botnet C2 (confidence level: 100%) | |
urlhttp://45.159.189.105/bot/regex?key=e1833dcb76f0a51a7b0032c5e4e935cc980d513fbeb93b892018bd0048583197 | LaplasClipper botnet C2 (confidence level: 100%) | |
urlhttps://190.123.44.137:4433/increase | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://jquerysslx.com/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://qw.kbnexc.com/search | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://as.kbnexc.com/an | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://zx.kbnexc.com/an | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.122.22.26/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://sempersim.su/ha18/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttps://sempersim.su/ha18/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttps://s173.minrosoftupdate.com/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://winlog03.micnosoftupdates.com/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://185.174.137.94/bot/regex | LaplasClipper botnet C2 (confidence level: 100%) | |
urlhttp://101.37.33.153:87/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.142.185.126:6789/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://80.66.88.127/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.221.144.169/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://lugociyah.com/inform/servlets/xomb26p0rj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://108.62.118.180/inform/servlets/xomb26p0rj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.142.124.166:8090/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://77.73.134.82/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://116.203.1.203/15 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://23.88.36.149/736 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.185.129/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://88.198.108.245/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://43.138.127.159/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.116.160.60/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://107.148.149.21/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://zx.kbnexc.com/ee | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.196.47.225:809/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://91.215.85.213/4f230c0dd4efa481.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://94.131.8.103/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://vnssinc.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-nwe3sk3y-1303130145.gz.apigw.tencentcs.com/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.140.88.85:8088/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://103.67.191.89:8443/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://179.43.156.134:8081/hubcap/mayo-clinic-radio-full-shows/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://107.173.251.222:58443/api/info | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://154.64.224.130:8088/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://20.89.23.164/zomgapt | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://98.142.143.85/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://44.198.164.69/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://82.157.75.169/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://150.158.11.76/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://150.158.11.76:8080/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://118.31.76.240:7999/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://80.87.192.227/7/_8generator/imageexternalgame3/5/08protect8/default/eternalmultiwp/image6/voiddbtemp0/external6/_dlegeneratorprivate/traffic68/private/videoservervoiddb/php83/universal2/universalhttppython/21/multiprocessor/eternalprotectwindowsflowerasync.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://www.diaolu.live:8080/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.180.193.248:9000/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://107.172.208.88:8080/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://yifebuto.com/inquiry/issues/vlqlvst0pyx7 | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://23.108.57.239/inquiry/issues/vlqlvst0pyx7 | Cobalt Strike botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainxvnmyi.ht5wy2lga.site | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainmirailovers.pw | Mirai botnet C2 domain (confidence level: 100%) | |
domainhihi.mirailovers.pw | Mirai botnet C2 domain (confidence level: 100%) | |
domainsvcshosvt.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainponzinivek.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainruplearben.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domaintalonbilling.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domaingorillagaz.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainchanimoblie.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainqw.kbnexc.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainas.kbnexc.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainzx.kbnexc.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainlugociyah.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-nwe3sk3y-1303130145.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.diaolu.live | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainyifebuto.com | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Threat ID: 682b7ba2d3ddd8cef2e7728c
Added to database: 5/19/2025, 6:42:42 PM
Last enriched: 6/18/2025, 7:03:59 PM
Last updated: 8/15/2025, 8:07:13 PM
Views: 11
Related Threats
Scammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
Medium'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumKawabunga, Dude, You've Been Ransomed!
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.