ThreatFox IOCs for 2023-05-13
ThreatFox IOCs for 2023-05-13
AI Analysis
Technical Summary
The provided threat intelligence pertains to a set of Indicators of Compromise (IOCs) published on May 13, 2023, by ThreatFox, a platform specializing in sharing threat intelligence data. The threat is categorized as malware-related and is associated with OSINT (Open Source Intelligence) tools or data, as indicated by the product field. However, there are no specific affected software versions or products listed, and no detailed technical indicators such as file hashes, IP addresses, or domain names are provided. The threat level is rated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting moderate distribution but limited analysis depth. There are no known exploits in the wild linked to this threat, and no patches or mitigation links are provided. The tags include "type:osint" and "tlp:white," indicating that the information is publicly shareable without restrictions. Overall, the data represents a medium-severity malware threat identified through OSINT methods, but lacks detailed technical specifics or evidence of active exploitation, limiting the ability to fully characterize the malware's behavior, infection vectors, or payload capabilities.
Potential Impact
Given the absence of detailed technical indicators and the lack of known exploits in the wild, the immediate impact on European organizations is likely limited. However, the presence of malware-related IOCs in OSINT repositories suggests potential reconnaissance or preparatory activity by threat actors. If these IOCs are integrated into detection systems, organizations could enhance their ability to identify early-stage compromises. The medium severity rating implies some risk to confidentiality, integrity, or availability if the malware were to be deployed effectively. European organizations, especially those relying on open-source threat intelligence feeds for security monitoring, could face increased alert volumes or false positives if these IOCs are not properly contextualized. Additionally, sectors with high exposure to malware threats, such as finance, critical infrastructure, and government, should remain vigilant. The lack of known exploits reduces the immediate threat but does not eliminate the possibility of future exploitation or targeted attacks leveraging these IOCs.
Mitigation Recommendations
1. Integrate the provided IOCs into existing security information and event management (SIEM) and endpoint detection and response (EDR) systems to enhance detection capabilities, ensuring that these indicators are validated to reduce false positives. 2. Conduct regular threat hunting exercises using the IOCs to identify any early signs of compromise within the network. 3. Maintain up-to-date malware detection signatures and behavioral analytics to detect variants or related malware activity that may not be covered by static IOCs. 4. Enhance user awareness training focusing on malware infection vectors, especially phishing and social engineering, which remain common initial attack vectors. 5. Implement network segmentation and strict access controls to limit lateral movement in case of infection. 6. Establish a process for continuous monitoring of OSINT sources like ThreatFox to promptly incorporate emerging threat intelligence. 7. Since no patches are available, emphasize proactive detection and containment strategies rather than reactive patching. 8. Collaborate with national cybersecurity centers and industry-specific Information Sharing and Analysis Centers (ISACs) to share and receive contextualized intelligence relevant to this threat.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy
Indicators of Compromise
- file: 18.158.58.205
- hash: 13065
- file: 3.67.112.102
- hash: 13065
- file: 3.64.4.198
- hash: 13065
- file: 3.127.181.115
- hash: 13065
- file: 3.67.62.142
- hash: 13065
- url: http://98.159.100.94/en_us/all.js
- url: https://134.175.83.78/js/components/content-info-b0c0e5245b.js
- file: 134.175.83.78
- hash: 443
- file: 167.235.158.92
- hash: 45741
- file: 88.99.184.104
- hash: 2449
- domain: jasonbourneblack.ddns.net
- file: 108.165.242.115
- hash: 12664
- url: http://dblg023.shop/pl341/index.php
- domain: faq.medecinsansfrontiere.fr
- file: 216.173.119.164
- hash: 666
- domain: anunankis1.duckdns.org
- file: 103.224.240.224
- hash: 5552
- url: https://8.130.106.206:8081/_/scs/mail-static/_/js/
- url: http://82.157.137.174:8088/pixel.gif
- url: https://baidu.office365update.cn/cx
- domain: baidu.office365update.cn
- file: 124.70.96.9
- hash: 443
- file: 36.99.39.121
- hash: 50001
- url: https://pinganlife.office365update.cn/image/
- domain: pinganlife.office365update.cn
- file: 123.249.17.62
- hash: 443
- url: https://123.249.64.201/pixel
- file: 123.249.64.201
- hash: 443
- file: 185.223.28.192
- hash: 1370
- file: 13.86.95.198
- hash: 443
- domain: xytcdn.hongmengchuangke.com
- domain: edu.hicomputing.huawei.com
- file: 43.138.10.232
- hash: 443
- url: http://165.232.118.86/
- url: http://thetechnicalassistant.com:8081/tab_home_active.html
- domain: thetechnicalassistant.com
- file: 213.59.116.181
- hash: 8081
- file: 85.192.49.153
- hash: 39029
- file: 107.189.29.157
- hash: 55655
- file: 103.179.189.80
- hash: 56999
- file: 141.98.6.222
- hash: 56999
- url: http://transcash-recharge.sytes.net/match
- url: https://82.157.110.128/ab.html
- url: http://82.157.110.128/ab.html
- url: http://110.41.131.105/j.ad
- url: http://45.88.66.128:8089/load
- url: http://175.178.90.153:8000/dpixel
- url: https://39.105.31.193:50052/fwlink
- url: http://47.92.198.253:8080/cx
- url: http://119.45.71.204:8888/cx
- url: https://qw.vm3dservice.com/release.html
- domain: qw.vm3dservice.com
- url: https://as.vm3dservice.com/release.html
- domain: as.vm3dservice.com
- url: https://zx.vm3dservice.com/release.html
- domain: zx.vm3dservice.com
- file: 147.78.47.219
- hash: 443
- url: https://45.141.118.137/__utm.gif
- file: 45.141.118.137
- hash: 443
- file: 134.122.132.51
- hash: 8899
- url: http://198.23.137.207/visit.js
- file: 198.23.137.207
- hash: 80
- url: http://101.43.190.181:8080/news/details
- file: 43.138.206.73
- hash: 8080
- url: https://101.42.173.185/updates.rss
- url: https://103.39.78.129/updates.rss
- file: 103.39.78.129
- hash: 443
- url: http://198.23.137.207:8086/j.ad
- url: http://88.218.192.174:39800/cm
- url: http://101.34.36.115:8076/ga.js
- url: https://actistesting.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- domain: actistesting.com
- file: 52.6.57.91
- hash: 443
- url: https://43.130.104.123/en_us/all.js
- file: 43.130.104.123
- hash: 443
- url: http://43.143.243.224:666/dpixel
- url: http://209.38.233.131/j.ad
- file: 209.38.233.131
- hash: 80
- url: https://202.182.103.58/jquery-3.5.1.slim.min.js
- file: 202.182.103.58
- hash: 443
- url: http://45.133.235.157/match
- file: 45.133.235.157
- hash: 80
- url: http://192.168.2.116:2222/ie9compatviewlist.xml
- url: http://87.165.127.91:2222/ca
- url: https://39.98.161.222/ptj
- file: 39.98.161.222
- hash: 443
- url: http://121.4.65.44:9876/pixel
- url: https://194.68.26.178/pki/mscorp/cps/default.htm
- file: 194.68.26.178
- hash: 443
- file: 37.27.17.204
- hash: 8888
- url: http://cs.svchostok.pro/match
- file: 37.27.17.204
- hash: 31337
- file: 120.24.42.20
- hash: 31337
- file: 120.24.42.20
- hash: 8888
- file: 34.205.137.3
- hash: 7443
- file: 45.66.216.108
- hash: 7443
- url: https://158.150.11.76:8888/__utm.gif
- file: 216.238.77.195
- hash: 443
- file: 23.163.0.241
- hash: 80
- file: 23.163.0.241
- hash: 8080
- file: 23.163.0.241
- hash: 8443
- file: 104.200.72.25
- hash: 80
- file: 104.200.72.25
- hash: 443
- file: 149.154.158.114
- hash: 443
- file: 149.154.158.114
- hash: 8080
- file: 151.236.9.60
- hash: 2052
- file: 151.236.9.60
- hash: 8000
- file: 151.236.9.60
- hash: 8443
- file: 192.52.167.39
- hash: 7083
- file: 193.29.59.109
- hash: 443
- file: 193.149.185.27
- hash: 8443
- file: 104.200.20.89
- hash: 8881
- file: 190.133.143.80
- hash: 443
- file: 18.133.125.105
- hash: 80
- file: 18.222.116.178
- hash: 445
- file: 34.244.155.135
- hash: 5985
- file: 52.176.39.204
- hash: 443
- file: 52.176.39.204
- hash: 445
- file: 109.120.182.2
- hash: 5985
- file: 165.22.47.224
- hash: 5985
- file: 165.227.112.99
- hash: 443
- file: 185.225.70.149
- hash: 5985
- file: 213.227.155.89
- hash: 80
- file: 213.227.155.89
- hash: 443
- file: 213.227.155.89
- hash: 5985
- url: http://182.160.11.134/dot.gif
- file: 141.98.6.124
- hash: 45
- url: http://110.41.131.105:5555/dot.gif
- url: https://cs.svchostok.pro/pixel
- url: http://150.158.11.76/visit.js
- file: 95.214.27.136
- hash: 61002
- file: 74.201.30.84
- hash: 443
- file: 141.98.6.151
- hash: 42311
- file: 185.99.133.58
- hash: 443
- file: 185.246.220.136
- hash: 9931
- url: http://95.214.27.98/cronus/index.php
- url: http://101.43.222.226:8888/__utm.gif
- url: http://150.158.11.76:8080/updates.rss
- url: https://182.160.11.134/dot.gif
- url: https://www.darkerstan.top/ptj
- domain: www.darkerstan.top
- url: https://101.43.190.181:8090/news/details
- file: 43.138.206.73
- hash: 8090
- url: http://47.92.198.253/ca
- file: 47.92.198.253
- hash: 443
- url: https://43.138.206.73:8999/clemente/details
- url: http://212.118.55.225:4444/scrub
- url: http://134.122.132.23:8899/fwlink
- url: http://134.122.132.23:8899/w8lb
- url: http://192.168.1.38:28818/nlqr
- url: http://192.168.1.38:28818/qwpe
- url: http://mamabahuyiabas.net/prof/index.php
- url: http://mollikertes.win/prof/index.php
- url: http://peiploersea.com:443/boost.mpeg
- url: https://dollyjonsaw.top/prof/index.php
- url: https://fusdertoplerq.top/prof/index.php
- url: https://masloperukwed.top/prof/index.php
- url: https://mollyfishers.cc/prof/index.php
- file: 146.70.165.10
- hash: 61288
- url: http://101.226.27.197:443/jquery-3.6.1.min.js
- url: http://101.226.27.216:443/jquery-3.6.1.min.js
- url: http://101.226.27.217:443/jquery-3.6.1.min.js
- url: http://101.226.27.241:443/jquery-3.6.1.min.js
- url: http://101.226.27.251:443/jquery-3.6.1.min.js
- url: http://101.226.27.253:443/jquery-3.6.1.min.js
- url: http://101.226.28.251:443/jquery-3.6.1.min.js
- url: http://106.55.199.146:9990/load
- url: http://106.55.199.146:9990/vrmh
- url: http://175.178.1.95:4433/tydl
- url: http://49.232.97.58:80/fwlink
- url: http://82.157.161.99:1001/dpixel
- url: http://fllrnd.com:443/scrub
- file: 191.101.130.28
- hash: 8808
- url: http://43.138.234.86/js/components/content-info-b0c0e5245b.js
- url: http://212.192.246.127:443/ptj
- url: http://82.117.255.211/11acf293b39e9ca9.php
- url: http://47.106.21.82:80/en_us/all.js
- file: 142.202.191.142
- hash: 5200
- url: https://150.158.11.76/ie9compatviewlist.xml
- url: http://47.103.64.64:1111/__utm.gif
- url: https://45.66.230.25/load
- file: 45.66.230.25
- hash: 443
- url: http://www.newbing.fyi:8080/search/
- domain: www.newbing.fyi
- file: 81.71.68.50
- hash: 8080
- url: http://103.146.179.94:8093/push
- url: https://helloworld.testediliyoruz.workers.dev/poll
- domain: helloworld.testediliyoruz.workers.dev
- file: 95.214.55.195
- hash: 443
- url: http://47.113.227.71:7777/match
- url: https://39.100.33.82/g.pixel
- url: http://162.19.155.49:8008/fwlink
ThreatFox IOCs for 2023-05-13
Description
ThreatFox IOCs for 2023-05-13
AI-Powered Analysis
Technical Analysis
The provided threat intelligence pertains to a set of Indicators of Compromise (IOCs) published on May 13, 2023, by ThreatFox, a platform specializing in sharing threat intelligence data. The threat is categorized as malware-related and is associated with OSINT (Open Source Intelligence) tools or data, as indicated by the product field. However, there are no specific affected software versions or products listed, and no detailed technical indicators such as file hashes, IP addresses, or domain names are provided. The threat level is rated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting moderate distribution but limited analysis depth. There are no known exploits in the wild linked to this threat, and no patches or mitigation links are provided. The tags include "type:osint" and "tlp:white," indicating that the information is publicly shareable without restrictions. Overall, the data represents a medium-severity malware threat identified through OSINT methods, but lacks detailed technical specifics or evidence of active exploitation, limiting the ability to fully characterize the malware's behavior, infection vectors, or payload capabilities.
Potential Impact
Given the absence of detailed technical indicators and the lack of known exploits in the wild, the immediate impact on European organizations is likely limited. However, the presence of malware-related IOCs in OSINT repositories suggests potential reconnaissance or preparatory activity by threat actors. If these IOCs are integrated into detection systems, organizations could enhance their ability to identify early-stage compromises. The medium severity rating implies some risk to confidentiality, integrity, or availability if the malware were to be deployed effectively. European organizations, especially those relying on open-source threat intelligence feeds for security monitoring, could face increased alert volumes or false positives if these IOCs are not properly contextualized. Additionally, sectors with high exposure to malware threats, such as finance, critical infrastructure, and government, should remain vigilant. The lack of known exploits reduces the immediate threat but does not eliminate the possibility of future exploitation or targeted attacks leveraging these IOCs.
Mitigation Recommendations
1. Integrate the provided IOCs into existing security information and event management (SIEM) and endpoint detection and response (EDR) systems to enhance detection capabilities, ensuring that these indicators are validated to reduce false positives. 2. Conduct regular threat hunting exercises using the IOCs to identify any early signs of compromise within the network. 3. Maintain up-to-date malware detection signatures and behavioral analytics to detect variants or related malware activity that may not be covered by static IOCs. 4. Enhance user awareness training focusing on malware infection vectors, especially phishing and social engineering, which remain common initial attack vectors. 5. Implement network segmentation and strict access controls to limit lateral movement in case of infection. 6. Establish a process for continuous monitoring of OSINT sources like ThreatFox to promptly incorporate emerging threat intelligence. 7. Since no patches are available, emphasize proactive detection and containment strategies rather than reactive patching. 8. Collaborate with national cybersecurity centers and industry-specific Information Sharing and Analysis Centers (ISACs) to share and receive contextualized intelligence relevant to this threat.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- e69d39dd-9820-46a7-a7d0-46b4caa88b03
- Original Timestamp
- 1684022586
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file18.158.58.205 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file3.67.112.102 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file3.64.4.198 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file3.127.181.115 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file3.67.62.142 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file134.175.83.78 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file167.235.158.92 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file88.99.184.104 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file108.165.242.115 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file216.173.119.164 | Bashlite botnet C2 server (confidence level: 75%) | |
file103.224.240.224 | Ave Maria botnet C2 server (confidence level: 100%) | |
file124.70.96.9 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file36.99.39.121 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.249.17.62 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.249.64.201 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.223.28.192 | NjRAT botnet C2 server (confidence level: 100%) | |
file13.86.95.198 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.138.10.232 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file213.59.116.181 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file85.192.49.153 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file107.189.29.157 | Mirai botnet C2 server (confidence level: 75%) | |
file103.179.189.80 | Mirai botnet C2 server (confidence level: 75%) | |
file141.98.6.222 | Mirai botnet C2 server (confidence level: 75%) | |
file147.78.47.219 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.141.118.137 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file134.122.132.51 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file198.23.137.207 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.138.206.73 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.39.78.129 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file52.6.57.91 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.130.104.123 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file209.38.233.131 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file202.182.103.58 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.133.235.157 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file39.98.161.222 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file194.68.26.178 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file37.27.17.204 | Sliver botnet C2 server (confidence level: 50%) | |
file37.27.17.204 | Sliver botnet C2 server (confidence level: 50%) | |
file120.24.42.20 | Sliver botnet C2 server (confidence level: 50%) | |
file120.24.42.20 | Sliver botnet C2 server (confidence level: 50%) | |
file34.205.137.3 | Unknown malware botnet C2 server (confidence level: 50%) | |
file45.66.216.108 | Unknown malware botnet C2 server (confidence level: 50%) | |
file216.238.77.195 | Unknown malware botnet C2 server (confidence level: 50%) | |
file23.163.0.241 | BianLian botnet C2 server (confidence level: 50%) | |
file23.163.0.241 | BianLian botnet C2 server (confidence level: 50%) | |
file23.163.0.241 | BianLian botnet C2 server (confidence level: 50%) | |
file104.200.72.25 | BianLian botnet C2 server (confidence level: 50%) | |
file104.200.72.25 | BianLian botnet C2 server (confidence level: 50%) | |
file149.154.158.114 | BianLian botnet C2 server (confidence level: 50%) | |
file149.154.158.114 | BianLian botnet C2 server (confidence level: 50%) | |
file151.236.9.60 | BianLian botnet C2 server (confidence level: 50%) | |
file151.236.9.60 | BianLian botnet C2 server (confidence level: 50%) | |
file151.236.9.60 | BianLian botnet C2 server (confidence level: 50%) | |
file192.52.167.39 | BianLian botnet C2 server (confidence level: 50%) | |
file193.29.59.109 | BianLian botnet C2 server (confidence level: 50%) | |
file193.149.185.27 | BianLian botnet C2 server (confidence level: 50%) | |
file104.200.20.89 | Havoc botnet C2 server (confidence level: 50%) | |
file190.133.143.80 | Havoc botnet C2 server (confidence level: 50%) | |
file18.133.125.105 | Responder botnet C2 server (confidence level: 50%) | |
file18.222.116.178 | Responder botnet C2 server (confidence level: 50%) | |
file34.244.155.135 | Responder botnet C2 server (confidence level: 50%) | |
file52.176.39.204 | Responder botnet C2 server (confidence level: 50%) | |
file52.176.39.204 | Responder botnet C2 server (confidence level: 50%) | |
file109.120.182.2 | Responder botnet C2 server (confidence level: 50%) | |
file165.22.47.224 | Responder botnet C2 server (confidence level: 50%) | |
file165.227.112.99 | Responder botnet C2 server (confidence level: 50%) | |
file185.225.70.149 | Responder botnet C2 server (confidence level: 50%) | |
file213.227.155.89 | Responder botnet C2 server (confidence level: 50%) | |
file213.227.155.89 | Responder botnet C2 server (confidence level: 50%) | |
file213.227.155.89 | Responder botnet C2 server (confidence level: 50%) | |
file141.98.6.124 | Mirai botnet C2 server (confidence level: 75%) | |
file95.214.27.136 | Mirai botnet C2 server (confidence level: 75%) | |
file74.201.30.84 | IcedID botnet C2 server (confidence level: 75%) | |
file141.98.6.151 | Mirai botnet C2 server (confidence level: 75%) | |
file185.99.133.58 | IcedID botnet C2 server (confidence level: 75%) | |
file185.246.220.136 | Mirai botnet C2 server (confidence level: 75%) | |
file43.138.206.73 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.92.198.253 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file146.70.165.10 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file191.101.130.28 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file142.202.191.142 | Ave Maria botnet C2 server (confidence level: 100%) | |
file45.66.230.25 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file81.71.68.50 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file95.214.55.195 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash13065 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash13065 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash13065 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash13065 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash13065 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash45741 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash2449 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash12664 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash666 | Bashlite botnet C2 server (confidence level: 75%) | |
hash5552 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash50001 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1370 | NjRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8081 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash39029 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash55655 | Mirai botnet C2 server (confidence level: 75%) | |
hash56999 | Mirai botnet C2 server (confidence level: 75%) | |
hash56999 | Mirai botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8899 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash8888 | Sliver botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash8080 | BianLian botnet C2 server (confidence level: 50%) | |
hash8443 | BianLian botnet C2 server (confidence level: 50%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash8080 | BianLian botnet C2 server (confidence level: 50%) | |
hash2052 | BianLian botnet C2 server (confidence level: 50%) | |
hash8000 | BianLian botnet C2 server (confidence level: 50%) | |
hash8443 | BianLian botnet C2 server (confidence level: 50%) | |
hash7083 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash8443 | BianLian botnet C2 server (confidence level: 50%) | |
hash8881 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash45 | Mirai botnet C2 server (confidence level: 75%) | |
hash61002 | Mirai botnet C2 server (confidence level: 75%) | |
hash443 | IcedID botnet C2 server (confidence level: 75%) | |
hash42311 | Mirai botnet C2 server (confidence level: 75%) | |
hash443 | IcedID botnet C2 server (confidence level: 75%) | |
hash9931 | Mirai botnet C2 server (confidence level: 75%) | |
hash8090 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash61288 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash5200 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://98.159.100.94/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://134.175.83.78/js/components/content-info-b0c0e5245b.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://dblg023.shop/pl341/index.php | Azorult botnet C2 (confidence level: 100%) | |
urlhttps://8.130.106.206:8081/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://82.157.137.174:8088/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://baidu.office365update.cn/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://pinganlife.office365update.cn/image/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://123.249.64.201/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://165.232.118.86/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://thetechnicalassistant.com:8081/tab_home_active.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://transcash-recharge.sytes.net/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://82.157.110.128/ab.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://82.157.110.128/ab.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://110.41.131.105/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.88.66.128:8089/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://175.178.90.153:8000/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://39.105.31.193:50052/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.92.198.253:8080/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://119.45.71.204:8888/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://qw.vm3dservice.com/release.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://as.vm3dservice.com/release.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://zx.vm3dservice.com/release.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://45.141.118.137/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://198.23.137.207/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.190.181:8080/news/details | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.42.173.185/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://103.39.78.129/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://198.23.137.207:8086/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://88.218.192.174:39800/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.34.36.115:8076/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://actistesting.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.130.104.123/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.143.243.224:666/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://209.38.233.131/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://202.182.103.58/jquery-3.5.1.slim.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.133.235.157/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://192.168.2.116:2222/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://87.165.127.91:2222/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://39.98.161.222/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://121.4.65.44:9876/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://194.68.26.178/pki/mscorp/cps/default.htm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://cs.svchostok.pro/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://158.150.11.76:8888/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://182.160.11.134/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://110.41.131.105:5555/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://cs.svchostok.pro/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://150.158.11.76/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://95.214.27.98/cronus/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://101.43.222.226:8888/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://150.158.11.76:8080/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://182.160.11.134/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://www.darkerstan.top/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.43.190.181:8090/news/details | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.92.198.253/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.138.206.73:8999/clemente/details | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://212.118.55.225:4444/scrub | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://134.122.132.23:8899/fwlink | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://134.122.132.23:8899/w8lb | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://192.168.1.38:28818/nlqr | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://192.168.1.38:28818/qwpe | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://mamabahuyiabas.net/prof/index.php | SmokeLoader botnet C2 (confidence level: 75%) | |
urlhttp://mollikertes.win/prof/index.php | SmokeLoader botnet C2 (confidence level: 75%) | |
urlhttp://peiploersea.com:443/boost.mpeg | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttps://dollyjonsaw.top/prof/index.php | SmokeLoader botnet C2 (confidence level: 75%) | |
urlhttps://fusdertoplerq.top/prof/index.php | SmokeLoader botnet C2 (confidence level: 75%) | |
urlhttps://masloperukwed.top/prof/index.php | SmokeLoader botnet C2 (confidence level: 75%) | |
urlhttps://mollyfishers.cc/prof/index.php | SmokeLoader botnet C2 (confidence level: 75%) | |
urlhttp://101.226.27.197:443/jquery-3.6.1.min.js | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://101.226.27.216:443/jquery-3.6.1.min.js | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://101.226.27.217:443/jquery-3.6.1.min.js | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://101.226.27.241:443/jquery-3.6.1.min.js | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://101.226.27.251:443/jquery-3.6.1.min.js | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://101.226.27.253:443/jquery-3.6.1.min.js | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://101.226.28.251:443/jquery-3.6.1.min.js | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://106.55.199.146:9990/load | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://106.55.199.146:9990/vrmh | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://175.178.1.95:4433/tydl | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://49.232.97.58:80/fwlink | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://82.157.161.99:1001/dpixel | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://fllrnd.com:443/scrub | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://43.138.234.86/js/components/content-info-b0c0e5245b.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://212.192.246.127:443/ptj | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://82.117.255.211/11acf293b39e9ca9.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://47.106.21.82:80/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttps://150.158.11.76/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.103.64.64:1111/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://45.66.230.25/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://www.newbing.fyi:8080/search/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://103.146.179.94:8093/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://helloworld.testediliyoruz.workers.dev/poll | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.113.227.71:7777/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://39.100.33.82/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://162.19.155.49:8008/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainjasonbourneblack.ddns.net | Nanocore RAT botnet C2 domain (confidence level: 100%) | |
domainfaq.medecinsansfrontiere.fr | Nanocore RAT botnet C2 domain (confidence level: 100%) | |
domainanunankis1.duckdns.org | Nanocore RAT botnet C2 domain (confidence level: 100%) | |
domainbaidu.office365update.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainpinganlife.office365update.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainxytcdn.hongmengchuangke.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainedu.hicomputing.huawei.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainthetechnicalassistant.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainqw.vm3dservice.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainas.vm3dservice.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainzx.vm3dservice.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainactistesting.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.darkerstan.top | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.newbing.fyi | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainhelloworld.testediliyoruz.workers.dev | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Threat ID: 682c7ac3e3e6de8ceb76f5b0
Added to database: 5/20/2025, 12:51:15 PM
Last enriched: 6/19/2025, 2:47:42 PM
Last updated: 8/15/2025, 7:25:29 PM
Views: 12
Related Threats
Scammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
Medium'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumKawabunga, Dude, You've Been Ransomed!
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.