ThreatFox IOCs for 2023-03-06
ThreatFox IOCs for 2023-03-06
AI Analysis
Technical Summary
The provided information pertains to a set of Indicators of Compromise (IOCs) published on 2023-03-06 via ThreatFox, a platform that aggregates threat intelligence data. However, the details are minimal and do not specify any particular vulnerability, malware, or attack technique. The threat type is marked as 'unknown,' and no affected software versions or specific technical indicators are provided. The severity is noted as 'medium,' but this appears to be a general classification rather than one based on detailed exploitability or impact data. The threat level, analysis, and distribution metrics are low to moderate (threatLevel: 2, analysis: 1, distribution: 3), suggesting limited confidence or scope. No known exploits in the wild are reported, and there are no patch links or CWE identifiers. The tags indicate this is OSINT (open-source intelligence) data with a TLP (Traffic Light Protocol) white classification, meaning it is publicly shareable. Overall, this entry appears to be a generic or placeholder IOC publication without actionable or detailed threat information.
Potential Impact
Given the lack of specific technical details, affected systems, or exploit information, the potential impact on European organizations cannot be concretely assessed. Without known exploits or targeted vulnerabilities, the risk remains theoretical. If these IOCs were to be indicators related to malware or intrusion campaigns, European entities could be at risk depending on the nature of the threat. However, as no concrete attack vectors or affected products are identified, the immediate impact is minimal. Organizations should remain vigilant but no direct operational impact is evident from this data alone.
Mitigation Recommendations
Since no specific vulnerabilities or attack methods are described, mitigation should focus on general best practices for handling threat intelligence and IOCs: 1) Integrate IOC feeds like ThreatFox into existing security monitoring tools to detect potential malicious activity. 2) Maintain up-to-date endpoint protection and network defenses to prevent exploitation of unknown threats. 3) Conduct regular threat hunting exercises using available IOCs to identify any signs of compromise. 4) Ensure incident response teams are prepared to analyze and act on new intelligence as it becomes available. 5) Collaborate with information sharing communities to receive timely updates and context on emerging threats. These steps go beyond generic advice by emphasizing proactive IOC integration and community collaboration.
Indicators of Compromise
- url: http://104.193.254.45/bot/regex?key=3682a4b856cc8db9e7c6f4deda4a6fdc2a8f662f4cc34c6d4365d36e3ed0ab52
- ip-dst|port: 45.8.146.108|19179
- ip-dst|port: 8.142.124.166|8443
- ip-dst|port: 152.89.196.12|82
- ip-dst|port: 1.13.82.101|4443
- ip-dst|port: 79.134.225.17|3704
- url: http://45.159.189.105/bot/regex?key=3682a4b856cc8db9e7c6f4deda4a6fdc2a8f662f4cc34c6d4365d36e3ed0ab52
- url: http://68.183.13.128/?page_id=1860
- url: http://68.183.13.128/?page_id=4136377
- url: https://195.189.96.146/pixel.gif
- ip-dst|port: 195.189.96.146|443
- ip-dst|port: 37.0.14.205|3392
- ip-dst|port: 18.231.93.153|13305
- ip-dst|port: 54.94.248.37|13305
- ip-dst|port: 18.229.248.167|13305
- ip-dst|port: 18.229.146.63|13305
- ip-dst|port: 3.124.142.205|10776
- ip-dst|port: 3.125.209.94|10776
- ip-dst|port: 3.125.102.39|10776
- ip-dst|port: 18.158.249.75|10776
- ip-dst|port: 45.153.241.202|80
- ip-dst|port: 65.108.241.85|80
- ip-dst|port: 77.91.68.33|80
- ip-dst|port: 77.91.78.46|80
- ip-dst|port: 77.91.78.50|80
- ip-dst|port: 77.91.84.20|80
- ip-dst|port: 77.91.84.68|80
- ip-dst|port: 85.217.144.18|80
- ip-dst|port: 89.23.97.130|80
- ip-dst|port: 94.142.138.162|80
- ip-dst|port: 94.142.138.166|80
- ip-dst|port: 94.142.138.168|80
- ip-dst|port: 94.142.138.169|80
- ip-dst|port: 94.142.138.177|80
- ip-dst|port: 104.40.27.143|80
- ip-dst|port: 185.106.92.101|80
- ip-dst|port: 185.106.94.71|80
- ip-dst|port: 192.153.57.230|80
- ip-dst|port: 212.113.106.218|80
- ip-dst|port: 65.21.52.22|80
- ip-dst|port: 94.142.138.171|80
- ip-dst|port: 82.115.223.9|8081
- ip-dst|port: 84.54.50.28|8081
- ip-dst|port: 94.131.112.184|8081
- ip-dst|port: 94.142.138.132|8081
- ip-dst|port: 94.142.138.137|8081
- ip-dst|port: 94.142.138.147|8081
- ip-dst|port: 94.142.138.151|8081
- ip-dst|port: 94.142.138.164|8081
- ip-dst|port: 103.184.97.117|8081
- ip-dst|port: 104.37.173.104|8081
- url: http://84.54.50.28/auth
- url: http://94.131.112.184/auth
- url: http://94.142.138.132/auth
- url: http://94.142.138.137/auth
- url: http://94.142.138.147/auth
- url: http://94.142.138.151/auth
- url: http://94.142.138.164/auth
- url: http://103.184.97.117/auth
- ip-dst|port: 18.192.31.165|10776
- url: http://46.151.30.40/dbserver/8packet/cdncdn4datalife/securetodle/flowerlinuxmariadb/uploads/bigload7image/temporarycdn/basegamepipe/game0/testprotonrequestsql/db0mariadb9/7linevideo/vmserverpublic/multilongpolllow/cdndatalifeprovider/dumptestbetter/updateprotect.php
- ip-dst|port: 135.181.24.195|28416
- ip-dst|port: 85.217.144.59|45
- ip-dst|port: 5.230.66.157|443
- ip-dst|port: 45.11.180.82|80
- ip-dst|port: 5.230.73.157|443
- ip-dst|port: 45.11.180.240|80
- url: http://45.128.234.216/externalto.php
- url: http://85.31.45.100/329b7da7ac4c3538.php
- ip-dst|port: 85.217.144.59|1024
- ip-dst|port: 91.193.75.141|3236
- url: http://45.90.222.125:7121/is-ready
- domain: orduhanpi.ru
- domain: ogtaypi.ru
- domain: myuridgo.ru
- domain: muhtargo.ru
- domain: muhsingo.ru
- domain: osmanpo.ru
- domain: payampo.ru
- hash: c9e84fae8578d34ab6b65d5c44e54fb2
- hash: caedf21246e5920e1015959f9fc9029f
- hash: 32031a03a5302c16d28028dbe3cc911e
- hash: ee71e50f5c24475a08456cc6486e12da
- hash: 9f4186242fd9479571daf9ea59a81342
- hash: 8635a69131f07f61225891a7d5ec8ace
- domain: download-discord.top
- ip-dst|port: 192.3.193.136|1344
- url: http://45.91.81.42:8081/cm
- url: https://service-dydpc1xk-1304560974.gz.apigw.tencentcs.com/api/x
- ip-dst|port: 68.183.21.224|443
- url: http://45.91.81.42:8082/load
- ip-dst|port: 91.241.93.150|80
- ip-dst|port: 103.213.111.207|6606
- url: http://lahsfr12.top/gate.php
- ip-dst|port: 194.59.218.147|8808
- url: https://208.67.105.87:13443/push
- ip-dst|port: 51.68.180.4|4040
- ip-dst|port: 51.68.180.4|5058
- ip-dst|port: 51.68.180.4|6606
- ip-dst|port: 51.68.180.4|7707
- ip-dst|port: 51.68.180.4|80
- ip-dst|port: 51.68.180.4|8808
- ip-dst|port: 82.115.223.9|80
- ip-dst|port: 103.184.97.117|80
- ip-dst|port: 94.142.138.164|80
- ip-dst|port: 94.142.138.151|80
- ip-dst|port: 94.142.138.147|80
- ip-dst|port: 94.142.138.137|80
- ip-dst|port: 94.142.138.132|80
- ip-dst|port: 94.131.112.184|80
- ip-dst|port: 179.61.251.213|5683
- url: http://23.106.215.95/g9qpzle/index.php
- url: https://service-ftyn94bx-1308675124.cd.apigw.tencentcs.com/jquery/2.0.1/jquery.min.js
- domain: service-ftyn94bx-1308675124.cd.apigw.tencentcs.com
- url: http://143.42.120.56:8082/discussion/mayo-clinic-radio-als/
- url: https://172.96.237.159:8443/visit.js
- url: https://176.113.115.44/visit.js
- url: http://143.42.120.56:47666/category/research-2/
- url: https://108.165.178.42/pixel.gif
- ip-dst|port: 46.8.19.163|445
- ip-dst|port: 46.8.19.32|445
- ip-dst|port: 62.173.140.103|80
- ip-dst|port: 31.41.44.63|80
- ip-dst|port: 46.8.19.239|80
- ip-dst|port: 185.77.96.40|80
- ip-dst|port: 46.8.19.116|80
- ip-dst|port: 31.41.44.48|80
- ip-dst|port: 62.173.139.11|80
- ip-dst|port: 62.173.138.251|80
- url: http://dyshangcheng.info:8888/cx
- url: http://101.43.220.96/g.pixel
- ip-dst|port: 101.43.220.96|80
- url: http://88.214.27.53:50005/g.pixel
- url: http://207.148.93.50:8090/__utm.gif
- url: http://88.214.27.53:50001/cm
- ip-dst|port: 101.43.215.118|9090
- ip-dst|port: 118.195.172.110|8012
- ip-dst|port: 179.43.187.185|8080
- ip-dst|port: 84.32.34.97|80
- ip-dst|port: 57.128.195.112|8443
- ip-dst|port: 1.15.141.252|8080
- url: http://108.165.178.42/updates.rss
- url: https://api.360com.live/_/scs/mail-static/_/js/
- domain: api.360com.live
- ip-dst|port: 27.99.34.220|2222
- ip-dst|port: 83.7.52.249|443
- ip-dst|port: 160.176.143.232|443
- ip-dst|port: 64.237.221.254|443
- ip-dst|port: 180.158.186.175|995
- ip-dst|port: 176.205.188.253|2222
- ip-dst|port: 105.186.229.25|995
- ip-dst|port: 102.46.73.102|995
- ip-dst|port: 87.223.81.32|443
- ip-dst|port: 116.74.164.150|443
- ip-dst|port: 109.149.148.242|2222
- ip-dst|port: 202.187.239.34|995
- ip-dst|port: 217.165.230.100|2222
- ip-dst|port: 86.98.212.69|443
- ip-dst|port: 41.62.129.151|443
- ip-dst|port: 37.186.55.152|2222
- ip-dst|port: 171.97.42.222|443
- ip-dst|port: 86.99.51.33|2222
- ip-dst|port: 80.1.152.201|443
- ip-dst|port: 31.167.215.175|995
- ip-dst|port: 82.212.119.175|443
- ip-dst|port: 85.139.118.210|443
- url: http://81.68.136.116/ga.js
- url: http://146.190.116.245/twr1tzi/03/file.dll
- url: http://134.209.216.163/qi46n1n/03/file.dll
- url: http://162.243.186.39/snujx/03/file.dll
- url: http://142.93.250.152/umua6sh/03/file.dll
- url: http://161.35.58.146/fiu1z/03/file.dll
- url: http://51.195.166.206/
- url: http://143.42.120.56:48888/category/research-2/
- url: http://88.214.27.53:50006/dot.gif
- url: http://1.15.120.10/ie9compatviewlist.xml
- ip-dst|port: 1.15.120.10|80
- ip-dst|port: 176.10.111.192|80
- ip-dst|port: 176.10.111.199|80
- ip-dst|port: 185.219.220.78|80
- ip-dst|port: 185.219.220.136|80
- url: http://157.230.128.40/utsm.php
- url: http://164.92.104.231/tarl.php
- url: http://143.198.98.187/gie.php
- url: http://137.184.8.182/la.php
- url: http://138.197.208.176/se.php
- ip-dst|port: 104.168.151.120|443
- url: http://95.217.221.82/
- url: http://95.217.221.82/photos.zip
- url: https://t.me/nemesisgrow
- url: https://steamcommunity.com/profiles/76561199471222742
- url: http://116.202.8.130/
- url: http://116.202.8.130/photos.zip
- url: http://65.109.12.165/
- url: http://65.109.12.165/photos.zip
- ip-dst|port: 95.217.221.82|80
- ip-dst|port: 116.202.8.130|80
- ip-dst|port: 65.109.12.165|80
- ip-dst|port: 147.185.221.229|56094
- url: http://77.91.78.50/
- ip-dst|port: 194.87.68.68|25
- ip-dst|port: 194.87.68.68|80
- ip-dst|port: 146.70.124.72|7443
- ip-dst|port: 112.29.177.90|10036
- ip-dst|port: 112.29.177.91|10036
- ip-dst|port: 112.29.177.98|10036
- ip-dst|port: 115.178.77.145|8800
- ip-dst|port: 150.230.194.159|9444
- ip-dst|port: 23.254.225.130|443
- ip-dst|port: 51.83.248.92|443
- ip-dst|port: 54.227.224.229|443
- ip-dst|port: 54.227.224.229|8000
- ip-dst|port: 95.213.145.101|8080
- ip-dst|port: 216.238.83.131|443
- ip-dst|port: 23.94.57.167|2023
- url: http://155.94.135.33:8888/load
- url: https://94.131.105.174/push
- ip-dst|port: 94.131.105.174|443
- url: https://198.23.223.145:4433/match
- url: https://rlfslie.cloud:4433/match
- domain: rlfslie.cloud
- ip-dst|port: 154.26.192.11|4433
- url: http://it2it.tk:8443/pixel.gif
- domain: it2it.tk
- ip-dst|port: 45.91.81.42|8443
- ip-dst|port: 79.137.198.115|80
- url: http://20.222.7.224:1433/fwlink
- url: http://20.214.176.53:4445/dot.gif
- url: http://94.142.138.160/
- ip-dst|port: 5.255.102.167|443
- url: http://120.79.64.164:9999/audiencemanager.js
- url: http://47.103.64.64:1111/ie9compatviewlist.xml
- ip-dst|port: 20.189.26.53|80
- url: http://123.249.101.92/cm
- url: http://139.196.47.225:8045/dpixel
- ip-dst|port: 185.112.151.108|443
- url: http://218.28.63.34:8037/updates.rss
- url: http://101.42.38.79:8888/visit.js
- url: http://120.79.70.83/dpixel
- url: https://progetecloud.online/c/msdownload/update/others/2020/10/29136388_
- domain: progetecloud.online
- url: https://163.123.142.213/c/msdownload/update/others/2020/10/29136388_
- ip-dst|port: 163.123.142.213|443
- url: http://118.195.172.110:8012/owa/
- url: https://1.13.82.101:4443/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js
- url: http://101.43.215.118:9090/updates.rss
ThreatFox IOCs for 2023-03-06
Description
ThreatFox IOCs for 2023-03-06
AI-Powered Analysis
Technical Analysis
The provided information pertains to a set of Indicators of Compromise (IOCs) published on 2023-03-06 via ThreatFox, a platform that aggregates threat intelligence data. However, the details are minimal and do not specify any particular vulnerability, malware, or attack technique. The threat type is marked as 'unknown,' and no affected software versions or specific technical indicators are provided. The severity is noted as 'medium,' but this appears to be a general classification rather than one based on detailed exploitability or impact data. The threat level, analysis, and distribution metrics are low to moderate (threatLevel: 2, analysis: 1, distribution: 3), suggesting limited confidence or scope. No known exploits in the wild are reported, and there are no patch links or CWE identifiers. The tags indicate this is OSINT (open-source intelligence) data with a TLP (Traffic Light Protocol) white classification, meaning it is publicly shareable. Overall, this entry appears to be a generic or placeholder IOC publication without actionable or detailed threat information.
Potential Impact
Given the lack of specific technical details, affected systems, or exploit information, the potential impact on European organizations cannot be concretely assessed. Without known exploits or targeted vulnerabilities, the risk remains theoretical. If these IOCs were to be indicators related to malware or intrusion campaigns, European entities could be at risk depending on the nature of the threat. However, as no concrete attack vectors or affected products are identified, the immediate impact is minimal. Organizations should remain vigilant but no direct operational impact is evident from this data alone.
Mitigation Recommendations
Since no specific vulnerabilities or attack methods are described, mitigation should focus on general best practices for handling threat intelligence and IOCs: 1) Integrate IOC feeds like ThreatFox into existing security monitoring tools to detect potential malicious activity. 2) Maintain up-to-date endpoint protection and network defenses to prevent exploitation of unknown threats. 3) Conduct regular threat hunting exercises using available IOCs to identify any signs of compromise. 4) Ensure incident response teams are prepared to analyze and act on new intelligence as it becomes available. 5) Collaborate with information sharing communities to receive timely updates and context on emerging threats. These steps go beyond generic advice by emphasizing proactive IOC integration and community collaboration.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
Indicators of Compromise
Url
Value | Description | Copy |
---|---|---|
urlhttp://104.193.254.45/bot/regex?key=3682a4b856cc8db9e7c6f4deda4a6fdc2a8f662f4cc34c6d4365d36e3ed0ab52 | LaplasClipper botnet C2 (confidence level: 100%) | |
urlhttp://45.159.189.105/bot/regex?key=3682a4b856cc8db9e7c6f4deda4a6fdc2a8f662f4cc34c6d4365d36e3ed0ab52 | LaplasClipper botnet C2 (confidence level: 100%) | |
urlhttp://68.183.13.128/?page_id=1860 | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://68.183.13.128/?page_id=4136377 | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttps://195.189.96.146/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://84.54.50.28/auth | Aurora Stealer botnet C2 (confidence level: 100%) | |
urlhttp://94.131.112.184/auth | Aurora Stealer botnet C2 (confidence level: 100%) | |
urlhttp://94.142.138.132/auth | Aurora Stealer botnet C2 (confidence level: 100%) | |
urlhttp://94.142.138.137/auth | Aurora Stealer botnet C2 (confidence level: 100%) | |
urlhttp://94.142.138.147/auth | Aurora Stealer botnet C2 (confidence level: 100%) | |
urlhttp://94.142.138.151/auth | Aurora Stealer botnet C2 (confidence level: 100%) | |
urlhttp://94.142.138.164/auth | Aurora Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.184.97.117/auth | Aurora Stealer botnet C2 (confidence level: 100%) | |
urlhttp://46.151.30.40/dbserver/8packet/cdncdn4datalife/securetodle/flowerlinuxmariadb/uploads/bigload7image/temporarycdn/basegamepipe/game0/testprotonrequestsql/db0mariadb9/7linevideo/vmserverpublic/multilongpolllow/cdndatalifeprovider/dumptestbetter/updateprotect.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://45.128.234.216/externalto.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://85.31.45.100/329b7da7ac4c3538.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://45.90.222.125:7121/is-ready | Houdini botnet C2 (confidence level: 100%) | |
urlhttp://45.91.81.42:8081/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-dydpc1xk-1304560974.gz.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.91.81.42:8082/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://lahsfr12.top/gate.php | CryptBot botnet C2 (confidence level: 100%) | |
urlhttps://208.67.105.87:13443/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://23.106.215.95/g9qpzle/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttps://service-ftyn94bx-1308675124.cd.apigw.tencentcs.com/jquery/2.0.1/jquery.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://143.42.120.56:8082/discussion/mayo-clinic-radio-als/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://172.96.237.159:8443/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://176.113.115.44/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://143.42.120.56:47666/category/research-2/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://108.165.178.42/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://dyshangcheng.info:8888/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.220.96/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://88.214.27.53:50005/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://207.148.93.50:8090/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://88.214.27.53:50001/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://108.165.178.42/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://api.360com.live/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://81.68.136.116/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://146.190.116.245/twr1tzi/03/file.dll | QakBot payload delivery URL (confidence level: 100%) | |
urlhttp://134.209.216.163/qi46n1n/03/file.dll | QakBot payload delivery URL (confidence level: 100%) | |
urlhttp://162.243.186.39/snujx/03/file.dll | QakBot payload delivery URL (confidence level: 100%) | |
urlhttp://142.93.250.152/umua6sh/03/file.dll | QakBot payload delivery URL (confidence level: 100%) | |
urlhttp://161.35.58.146/fiu1z/03/file.dll | QakBot payload delivery URL (confidence level: 100%) | |
urlhttp://51.195.166.206/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://143.42.120.56:48888/category/research-2/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://88.214.27.53:50006/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.15.120.10/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://157.230.128.40/utsm.php | QakBot payload delivery URL (confidence level: 100%) | |
urlhttp://164.92.104.231/tarl.php | QakBot payload delivery URL (confidence level: 100%) | |
urlhttp://143.198.98.187/gie.php | QakBot payload delivery URL (confidence level: 100%) | |
urlhttp://137.184.8.182/la.php | QakBot payload delivery URL (confidence level: 100%) | |
urlhttp://138.197.208.176/se.php | QakBot payload delivery URL (confidence level: 100%) | |
urlhttp://95.217.221.82/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://95.217.221.82/photos.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://t.me/nemesisgrow | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://steamcommunity.com/profiles/76561199471222742 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.8.130/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.202.8.130/photos.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://65.109.12.165/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://65.109.12.165/photos.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://77.91.78.50/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://155.94.135.33:8888/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://94.131.105.174/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://198.23.223.145:4433/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://rlfslie.cloud:4433/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://it2it.tk:8443/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://20.222.7.224:1433/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://20.214.176.53:4445/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://94.142.138.160/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://120.79.64.164:9999/audiencemanager.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.103.64.64:1111/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://123.249.101.92/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.196.47.225:8045/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://218.28.63.34:8037/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.42.38.79:8888/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://120.79.70.83/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://progetecloud.online/c/msdownload/update/others/2020/10/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://163.123.142.213/c/msdownload/update/others/2020/10/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://118.195.172.110:8012/owa/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://1.13.82.101:4443/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.215.118:9090/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) |
Ip dst|port
Value | Description | Copy |
---|---|---|
ip-dst|port45.8.146.108|19179 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port8.142.124.166|8443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port152.89.196.12|82 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port1.13.82.101|4443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port79.134.225.17|3704 | STRRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port195.189.96.146|443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port37.0.14.205|3392 | STRRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port18.231.93.153|13305 | NjRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port54.94.248.37|13305 | NjRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port18.229.248.167|13305 | NjRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port18.229.146.63|13305 | NjRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port3.124.142.205|10776 | NjRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port3.125.209.94|10776 | NjRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port3.125.102.39|10776 | NjRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port18.158.249.75|10776 | NjRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port45.153.241.202|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port65.108.241.85|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port77.91.68.33|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port77.91.78.46|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port77.91.78.50|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port77.91.84.20|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port77.91.84.68|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port85.217.144.18|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port89.23.97.130|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port94.142.138.162|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port94.142.138.166|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port94.142.138.168|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port94.142.138.169|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port94.142.138.177|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port104.40.27.143|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port185.106.92.101|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port185.106.94.71|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port192.153.57.230|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port212.113.106.218|80 | Raccoon botnet C2 server (confidence level: 100%) | |
ip-dst|port65.21.52.22|80 | Stealc botnet C2 server (confidence level: 100%) | |
ip-dst|port94.142.138.171|80 | Stealc botnet C2 server (confidence level: 100%) | |
ip-dst|port82.115.223.9|8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port84.54.50.28|8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port94.131.112.184|8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port94.142.138.132|8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port94.142.138.137|8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port94.142.138.147|8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port94.142.138.151|8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port94.142.138.164|8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port103.184.97.117|8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port104.37.173.104|8081 | Aurora Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port18.192.31.165|10776 | NjRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port135.181.24.195|28416 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
ip-dst|port85.217.144.59|45 | Mirai botnet C2 server (confidence level: 75%) | |
ip-dst|port5.230.66.157|443 | IcedID botnet C2 server (confidence level: 75%) | |
ip-dst|port45.11.180.82|80 | SharkBot botnet C2 server (confidence level: 75%) | |
ip-dst|port5.230.73.157|443 | IcedID botnet C2 server (confidence level: 75%) | |
ip-dst|port45.11.180.240|80 | SharkBot botnet C2 server (confidence level: 75%) | |
ip-dst|port85.217.144.59|1024 | Mirai botnet C2 server (confidence level: 75%) | |
ip-dst|port91.193.75.141|3236 | Ave Maria botnet C2 server (confidence level: 100%) | |
ip-dst|port192.3.193.136|1344 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port68.183.21.224|443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port91.241.93.150|80 | SharkBot botnet C2 server (confidence level: 75%) | |
ip-dst|port103.213.111.207|6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port194.59.218.147|8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port51.68.180.4|4040 | AsyncRAT botnet C2 server (confidence level: 75%) | |
ip-dst|port51.68.180.4|5058 | AsyncRAT botnet C2 server (confidence level: 75%) | |
ip-dst|port51.68.180.4|6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
ip-dst|port51.68.180.4|7707 | AsyncRAT botnet C2 server (confidence level: 75%) | |
ip-dst|port51.68.180.4|80 | AsyncRAT botnet C2 server (confidence level: 75%) | |
ip-dst|port51.68.180.4|8808 | AsyncRAT botnet C2 server (confidence level: 75%) | |
ip-dst|port82.115.223.9|80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
ip-dst|port103.184.97.117|80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
ip-dst|port94.142.138.164|80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
ip-dst|port94.142.138.151|80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
ip-dst|port94.142.138.147|80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
ip-dst|port94.142.138.137|80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
ip-dst|port94.142.138.132|80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
ip-dst|port94.131.112.184|80 | Aurora Stealer botnet C2 server (confidence level: 50%) | |
ip-dst|port179.61.251.213|5683 | Mirai botnet C2 server (confidence level: 75%) | |
ip-dst|port46.8.19.163|445 | ISFB payload delivery server (confidence level: 75%) | |
ip-dst|port46.8.19.32|445 | ISFB payload delivery server (confidence level: 75%) | |
ip-dst|port62.173.140.103|80 | ISFB botnet C2 server (confidence level: 75%) | |
ip-dst|port31.41.44.63|80 | ISFB botnet C2 server (confidence level: 75%) | |
ip-dst|port46.8.19.239|80 | ISFB botnet C2 server (confidence level: 75%) | |
ip-dst|port185.77.96.40|80 | ISFB botnet C2 server (confidence level: 75%) | |
ip-dst|port46.8.19.116|80 | ISFB botnet C2 server (confidence level: 75%) | |
ip-dst|port31.41.44.48|80 | ISFB botnet C2 server (confidence level: 75%) | |
ip-dst|port62.173.139.11|80 | ISFB botnet C2 server (confidence level: 75%) | |
ip-dst|port62.173.138.251|80 | ISFB botnet C2 server (confidence level: 75%) | |
ip-dst|port101.43.220.96|80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port101.43.215.118|9090 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port118.195.172.110|8012 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port179.43.187.185|8080 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port84.32.34.97|80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port57.128.195.112|8443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port1.15.141.252|8080 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port27.99.34.220|2222 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port83.7.52.249|443 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port160.176.143.232|443 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port64.237.221.254|443 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port180.158.186.175|995 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port176.205.188.253|2222 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port105.186.229.25|995 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port102.46.73.102|995 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port87.223.81.32|443 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port116.74.164.150|443 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port109.149.148.242|2222 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port202.187.239.34|995 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port217.165.230.100|2222 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port86.98.212.69|443 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port41.62.129.151|443 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port37.186.55.152|2222 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port171.97.42.222|443 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port86.99.51.33|2222 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port80.1.152.201|443 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port31.167.215.175|995 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port82.212.119.175|443 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port85.139.118.210|443 | QakBot botnet C2 server (confidence level: 100%) | |
ip-dst|port1.15.120.10|80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port176.10.111.192|80 | SharkBot botnet C2 server (confidence level: 75%) | |
ip-dst|port176.10.111.199|80 | SharkBot botnet C2 server (confidence level: 75%) | |
ip-dst|port185.219.220.78|80 | SharkBot botnet C2 server (confidence level: 75%) | |
ip-dst|port185.219.220.136|80 | SharkBot botnet C2 server (confidence level: 75%) | |
ip-dst|port104.168.151.120|443 | BumbleBee botnet C2 server (confidence level: 75%) | |
ip-dst|port95.217.221.82|80 | Vidar botnet C2 server (confidence level: 100%) | |
ip-dst|port116.202.8.130|80 | Vidar botnet C2 server (confidence level: 100%) | |
ip-dst|port65.109.12.165|80 | Vidar botnet C2 server (confidence level: 100%) | |
ip-dst|port147.185.221.229|56094 | Orcus RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port194.87.68.68|25 | Sliver botnet C2 server (confidence level: 50%) | |
ip-dst|port194.87.68.68|80 | Sliver botnet C2 server (confidence level: 50%) | |
ip-dst|port146.70.124.72|7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
ip-dst|port112.29.177.90|10036 | Deimos botnet C2 server (confidence level: 50%) | |
ip-dst|port112.29.177.91|10036 | Deimos botnet C2 server (confidence level: 50%) | |
ip-dst|port112.29.177.98|10036 | Deimos botnet C2 server (confidence level: 50%) | |
ip-dst|port115.178.77.145|8800 | Deimos botnet C2 server (confidence level: 50%) | |
ip-dst|port150.230.194.159|9444 | Deimos botnet C2 server (confidence level: 50%) | |
ip-dst|port23.254.225.130|443 | BumbleBee botnet C2 server (confidence level: 100%) | |
ip-dst|port51.83.248.92|443 | BumbleBee botnet C2 server (confidence level: 100%) | |
ip-dst|port54.227.224.229|443 | BianLian botnet C2 server (confidence level: 50%) | |
ip-dst|port54.227.224.229|8000 | BianLian botnet C2 server (confidence level: 50%) | |
ip-dst|port95.213.145.101|8080 | BianLian botnet C2 server (confidence level: 50%) | |
ip-dst|port216.238.83.131|443 | BianLian botnet C2 server (confidence level: 50%) | |
ip-dst|port23.94.57.167|2023 | Kaiji botnet C2 server (confidence level: 75%) | |
ip-dst|port94.131.105.174|443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port154.26.192.11|4433 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port45.91.81.42|8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port79.137.198.115|80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port5.255.102.167|443 | IcedID botnet C2 server (confidence level: 75%) | |
ip-dst|port20.189.26.53|80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port185.112.151.108|443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port163.123.142.213|443 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Domain
Value | Description | Copy |
---|---|---|
domainorduhanpi.ru | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainogtaypi.ru | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainmyuridgo.ru | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainmuhtargo.ru | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainmuhsingo.ru | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainosmanpo.ru | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainpayampo.ru | Unknown malware botnet C2 domain (confidence level: 100%) | |
domaindownload-discord.top | Stealc payload delivery domain (confidence level: 100%) | |
domainservice-ftyn94bx-1308675124.cd.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainapi.360com.live | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainrlfslie.cloud | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainit2it.tk | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainprogetecloud.online | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Hash
Value | Description | Copy |
---|---|---|
hashc9e84fae8578d34ab6b65d5c44e54fb2 | Unknown malware payload (confidence level: 100%) | |
hashcaedf21246e5920e1015959f9fc9029f | Unknown malware payload (confidence level: 100%) | |
hash32031a03a5302c16d28028dbe3cc911e | Unknown malware payload (confidence level: 100%) | |
hashee71e50f5c24475a08456cc6486e12da | Unknown malware payload (confidence level: 100%) | |
hash9f4186242fd9479571daf9ea59a81342 | Unknown malware payload (confidence level: 100%) | |
hash8635a69131f07f61225891a7d5ec8ace | Unknown malware payload (confidence level: 100%) |
Threat ID: 6828eab9e1a0c275ea6e2e23
Added to database: 5/17/2025, 7:59:53 PM
Last enriched: 7/3/2025, 6:55:42 AM
Last updated: 8/17/2025, 3:15:09 PM
Views: 28
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.