ThreatFox IOCs for 2023-07-01
ThreatFox IOCs for 2023-07-01
AI Analysis
Technical Summary
The provided threat intelligence pertains to a set of Indicators of Compromise (IOCs) published on July 1, 2023, by ThreatFox, a platform specializing in sharing threat intelligence data. The threat is classified as malware-related and is associated with OSINT (Open Source Intelligence) tools or data. However, no specific affected software versions or products are identified, and no detailed technical indicators such as malware signatures, attack vectors, or exploitation methods are provided. The threat level is indicated as medium, with a threatLevel score of 2 (on an unspecified scale), analysis score of 1, and distribution score of 3, suggesting moderate dissemination but limited technical detail or confirmed exploitation. There are no known exploits in the wild linked to this threat, and no patch or mitigation links are available. The absence of Common Weakness Enumerations (CWEs) and the lack of detailed technical indicators imply that this intelligence is primarily informational, possibly serving as a repository or reference for OSINT-related malware activity rather than describing a specific active threat campaign. The TLP (Traffic Light Protocol) designation is white, indicating that the information is intended for public sharing without restriction.
Potential Impact
Given the lack of detailed technical information and absence of confirmed exploits, the direct impact of this threat on European organizations is currently limited. However, as the threat relates to OSINT malware, it may be used for reconnaissance, data gathering, or preparatory stages of more sophisticated attacks. European organizations that rely heavily on open-source intelligence tools or integrate OSINT data into their security operations could face risks if these IOCs are indicators of emerging malware campaigns. Potential impacts include unauthorized data collection, exposure of sensitive information, or facilitation of subsequent targeted attacks. The medium severity rating suggests a moderate risk level, emphasizing the need for vigilance but not indicating immediate critical threats. The broad distribution score implies that these IOCs may be circulating widely, increasing the chance of exposure but without confirmed active exploitation.
Mitigation Recommendations
1. Integrate the provided IOCs into existing threat intelligence platforms and security information and event management (SIEM) systems to enhance detection capabilities. 2. Conduct regular OSINT tool and data source audits to ensure they are sourced from reputable providers and have not been compromised. 3. Implement strict access controls and monitoring around OSINT data usage to detect anomalous activities that could indicate malware presence. 4. Educate security teams on the importance of validating OSINT data and recognizing potential malware indicators within open-source feeds. 5. Maintain up-to-date endpoint protection and network monitoring solutions capable of detecting suspicious behaviors associated with reconnaissance or data exfiltration. 6. Collaborate with threat intelligence sharing communities to receive timely updates on any evolution of these IOCs into active threats. These measures go beyond generic advice by focusing on the specific context of OSINT-related malware and the integration of IOCs into operational security workflows.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy
Indicators of Compromise
- url: http://yoldemezdonduz.net/
- url: http://yolderyasibizdenizgez.net/
- url: http://zamanmakineilaclari.shop/
- file: 187.170.150.119
- hash: 443
- file: 18.229.248.167
- hash: 13904
- file: 54.94.248.37
- hash: 13904
- file: 18.231.93.153
- hash: 13904
- url: https://amarte.store/a/08/150822/au/tst/index.php?list
- url: https://121.36.81.223:10443/shelter
- file: 151.213.67.195
- hash: 995
- file: 142.188.91.223
- hash: 2222
- file: 102.157.55.91
- hash: 443
- file: 209.25.141.212
- hash: 16694
- file: 185.102.174.109
- hash: 5434
- file: 45.132.241.71
- hash: 721
- file: 158.160.69.66
- hash: 7443
- file: 16.171.43.215
- hash: 7443
- file: 104.238.35.112
- hash: 3543
- file: 85.206.172.192
- hash: 443
- file: 190.135.209.12
- hash: 443
- file: 172.190.188.163
- hash: 5986
- file: 62.10.74.218
- hash: 80
- file: 62.10.74.218
- hash: 443
- file: 3.137.106.230
- hash: 80
- file: 3.22.216.255
- hash: 445
- file: 159.65.235.56
- hash: 6666
- file: 45.87.153.148
- hash: 36079
- url: http://49.13.50.61:27015/
- url: http://49.13.50.61:27015/archive.zip
- url: http://159.223.72.123:8080/pixel
- url: https://39.100.75.193/audiencemanager.js
- file: 39.100.75.193
- hash: 443
- url: https://apiv4.unemployment-compensation.org/ui
- domain: apiv4.unemployment-compensation.org
- file: 35.164.156.232
- hash: 443
- url: http://88.214.26.100/push
- url: http://120.132.81.131:8888/ga.js
- url: http://64.176.44.244/ie9compatviewlist.xml
- file: 64.176.44.244
- hash: 80
- url: http://39.104.57.62:9097/dot.gif
- url: http://117.50.184.22:7373/activity
- url: http://49.232.214.202:8088/match
- url: http://82.156.225.16/ie9compatviewlist.xml
- file: 82.156.225.16
- hash: 80
- url: http://175.178.53.131:8111/themes/default/js/js.cookie_8.js
- url: http://125.124.50.87:4447/fwlink
- url: http://47.97.22.116:8888/visit.js
- file: 119.91.31.246
- hash: 53
- file: 103.39.78.166
- hash: 53
- file: 111.230.194.172
- hash: 53
- file: 197.0.88.92
- hash: 443
- file: 217.165.14.150
- hash: 443
- domain: mobile.opposrv.top
- domain: cas.opposrv.top
- url: http://132.148.147.109:85/pixel
- url: http://82.157.110.128:8080/cx
- url: http://47.100.215.156/match
- url: http://43.138.62.36:8081/fwlink
- url: http://111.231.11.43:8010/load
- url: http://101.33.199.47:7777/activity
- url: http://43.138.62.36:8080/ca
- url: http://45.77.31.150:89/__utm.gif
- url: http://124.222.19.112:9999/cx
- url: https://43.142.187.77/dpixel
- url: http://8.140.37.238:50001/dot.gif
- url: http://45.77.31.150:82/dpixel
- url: https://43.138.62.36/pixel
- url: http://112.74.56.201/j.ad
- url: https://vitagees.com/design/query/9x5m3soe0f
- domain: vitagees.com
- url: http://101.33.199.47:8001/pixel
- file: 179.43.155.209
- hash: 8769
- file: 91.109.178.10
- hash: 8808
- url: https://1.117.176.254/cx
- url: http://43.138.62.36:97/ca
- url: https://121.41.179.124/cx
- url: https://124.223.6.231:4432/visit.js
- url: https://101.33.199.47:5555/ga.js
- url: http://43.138.62.36:7001/load
- url: http://43.138.62.36:9000/visit.js
- url: http://8.140.20.239:5555/cm
- url: http://47.108.52.84:6666/cm
- url: http://43.138.19.240:888/api/sortbyname
- url: http://139.155.75.156:8111/ie9compatviewlist.xml
- url: https://secureservices.fun:4443/jp.css
- domain: secureservices.fun
- file: 62.233.57.213
- hash: 4443
- url: http://8.134.122.165:8099/j.ad
- url: http://121.40.174.104/fwlink
- file: 121.40.174.104
- hash: 80
- url: http://42.192.16.196:9998/j.ad
- url: http://106.14.75.240:8099/updates.rss
- url: https://msedgesupport.azureedge.net/jquery-3.3.1.min.js
- domain: msedgesupport.azureedge.net
- file: 20.51.234.154
- hash: 443
- url: http://43.153.206.194:1111/cm
- hash: 7cb31ca2433ca9061843408b8959d02989530f9077dd5142441067ce5418536c
- hash: dd085098a1ac3d191e0747e717e986c4
- url: http://dl.whatsong.ir/?id=9nznwuzm4ejoiumepn3xlxwamjclisgch5czl52zpn3x3qjnwuhx3ijnwuhxxmjnwuhxjbdmyuhxkbdmyuhx1qjnwuhxjbdmyuhxkbdmyuhx3qjnwuhxgemm2atdcngmwitdcrgmwitdcrdn2atdcdjm2atdczmm2atdcngmwitdcrgmwitdclzm2atdcjioiuwbh52xlxwamjcliekq2n2ui50csjvwklmuszuqb52zzfuqbj1ddfuqkltaq1saxj2xqf1xav0swaztxdttjf0mutmqoxmsffuqctgebfuunf0qbflqiojikl2xlxwamjye
- domain: dl.whatsong.ir
- file: 124.222.144.23
- hash: 12510
- file: 61.136.208.3
- hash: 86
- file: 49.4.24.255
- hash: 8023
- url: http://alterswager.org/8bmevwqx/index.php
- url: https://8.142.69.99/ga.js
- file: 8.142.69.99
- hash: 443
- url: http://39.152.39.205:8087/jquery-3.3.1.min.js
- url: https://1.13.180.191:6443/verifycode
- url: https://8.137.97.92:1000/__utm.gif
- url: https://service-dxka5ebo-1306407718.gz.apigw.tencentcs.com/api/x
- domain: service-dxka5ebo-1306407718.gz.apigw.tencentcs.com
- url: http://23.224.61.71/fwlink
- file: 23.224.61.71
- hash: 80
- url: https://121.5.134.64/__utm.gif
- file: 121.5.134.64
- hash: 443
- url: http://119.96.110.41:4444/ca
- url: https://lumsguttenberg.com/design/query/9x5m3soe0f
- domain: lumsguttenberg.com
- file: 193.239.85.12
- hash: 443
- file: 104.248.96.105
- hash: 443
- file: 3.67.161.133
- hash: 13226
- file: 3.67.62.142
- hash: 13226
- file: 18.158.58.205
- hash: 13226
- file: 43.138.154.3
- hash: 6443
- url: http://43.138.154.3:6443/qluk
- url: http://119.13.90.176:9000/dpixel
- url: https://api.upgrad3.cc/ptj
- url: http://87.120.88.85:8081/activity
- url: http://partnergroup.vn/pony/paneltwotwo/gate.php
- url: http://175.178.17.166:1025/ga.js
- url: http://81.71.137.243/cm
- url: http://69.165.70.101:8099/cx
- file: 105.157.111.71
- hash: 443
- file: 164.92.240.184
- hash: 7443
- file: 167.71.15.25
- hash: 443
- file: 44.203.114.48
- hash: 4443
- file: 20.223.231.108
- hash: 445
- file: 139.177.193.144
- hash: 80
- file: 139.177.193.144
- hash: 5985
- file: 18.221.36.131
- hash: 443
- file: 3.20.179.134
- hash: 5985
- file: 3.137.106.230
- hash: 443
- file: 18.116.0.119
- hash: 445
- file: 3.14.171.147
- hash: 445
- file: 185.241.208.121
- hash: 9898
- file: 185.17.0.201
- hash: 1312
- file: 104.223.91.190
- hash: 1234
- file: 162.14.107.218
- hash: 65003
- file: 83.97.73.134
- hash: 19071
- file: 168.100.8.203
- hash: 443
- file: 185.157.120.4
- hash: 17355
- file: 5.154.181.70
- hash: 80
- file: 109.107.173.48
- hash: 25678
- url: http://vikselr4.beget.tech/serverbaseflower.php
- url: https://114.132.243.226/cx
- file: 114.132.243.226
- hash: 443
- url: http://34.92.14.229:8080/load
- url: http://167.172.1.42:9001/c/msdownload/update/others/2020/10/29136388_
- file: 165.22.186.220
- hash: 9001
- url: http://114.132.74.172/__utm.gif
- file: 114.132.74.172
- hash: 80
- url: http://121.37.163.196:8888/ie9compatviewlist.xml
- file: 77.246.110.195
- hash: 8599
ThreatFox IOCs for 2023-07-01
Description
ThreatFox IOCs for 2023-07-01
AI-Powered Analysis
Technical Analysis
The provided threat intelligence pertains to a set of Indicators of Compromise (IOCs) published on July 1, 2023, by ThreatFox, a platform specializing in sharing threat intelligence data. The threat is classified as malware-related and is associated with OSINT (Open Source Intelligence) tools or data. However, no specific affected software versions or products are identified, and no detailed technical indicators such as malware signatures, attack vectors, or exploitation methods are provided. The threat level is indicated as medium, with a threatLevel score of 2 (on an unspecified scale), analysis score of 1, and distribution score of 3, suggesting moderate dissemination but limited technical detail or confirmed exploitation. There are no known exploits in the wild linked to this threat, and no patch or mitigation links are available. The absence of Common Weakness Enumerations (CWEs) and the lack of detailed technical indicators imply that this intelligence is primarily informational, possibly serving as a repository or reference for OSINT-related malware activity rather than describing a specific active threat campaign. The TLP (Traffic Light Protocol) designation is white, indicating that the information is intended for public sharing without restriction.
Potential Impact
Given the lack of detailed technical information and absence of confirmed exploits, the direct impact of this threat on European organizations is currently limited. However, as the threat relates to OSINT malware, it may be used for reconnaissance, data gathering, or preparatory stages of more sophisticated attacks. European organizations that rely heavily on open-source intelligence tools or integrate OSINT data into their security operations could face risks if these IOCs are indicators of emerging malware campaigns. Potential impacts include unauthorized data collection, exposure of sensitive information, or facilitation of subsequent targeted attacks. The medium severity rating suggests a moderate risk level, emphasizing the need for vigilance but not indicating immediate critical threats. The broad distribution score implies that these IOCs may be circulating widely, increasing the chance of exposure but without confirmed active exploitation.
Mitigation Recommendations
1. Integrate the provided IOCs into existing threat intelligence platforms and security information and event management (SIEM) systems to enhance detection capabilities. 2. Conduct regular OSINT tool and data source audits to ensure they are sourced from reputable providers and have not been compromised. 3. Implement strict access controls and monitoring around OSINT data usage to detect anomalous activities that could indicate malware presence. 4. Educate security teams on the importance of validating OSINT data and recognizing potential malware indicators within open-source feeds. 5. Maintain up-to-date endpoint protection and network monitoring solutions capable of detecting suspicious behaviors associated with reconnaissance or data exfiltration. 6. Collaborate with threat intelligence sharing communities to receive timely updates on any evolution of these IOCs into active threats. These measures go beyond generic advice by focusing on the specific context of OSINT-related malware and the integration of IOCs into operational security workflows.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- ef41660e-1a7a-458a-8dc7-cdd10c0f6e91
- Original Timestamp
- 1688256187
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://yoldemezdonduz.net/ | Hydra botnet C2 (confidence level: 100%) | |
urlhttp://yolderyasibizdenizgez.net/ | Hydra botnet C2 (confidence level: 100%) | |
urlhttp://zamanmakineilaclari.shop/ | Alien botnet C2 (confidence level: 100%) | |
urlhttps://amarte.store/a/08/150822/au/tst/index.php?list | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://121.36.81.223:10443/shelter | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://49.13.50.61:27015/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://49.13.50.61:27015/archive.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://159.223.72.123:8080/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://39.100.75.193/audiencemanager.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://apiv4.unemployment-compensation.org/ui | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://88.214.26.100/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://120.132.81.131:8888/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://64.176.44.244/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://39.104.57.62:9097/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://117.50.184.22:7373/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://49.232.214.202:8088/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://82.156.225.16/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://175.178.53.131:8111/themes/default/js/js.cookie_8.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://125.124.50.87:4447/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.97.22.116:8888/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://132.148.147.109:85/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://82.157.110.128:8080/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.100.215.156/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.62.36:8081/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://111.231.11.43:8010/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.33.199.47:7777/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.62.36:8080/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.77.31.150:89/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.222.19.112:9999/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.142.187.77/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.140.37.238:50001/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.77.31.150:82/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.138.62.36/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://112.74.56.201/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://vitagees.com/design/query/9x5m3soe0f | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.33.199.47:8001/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://1.117.176.254/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.62.36:97/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://121.41.179.124/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.223.6.231:4432/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.33.199.47:5555/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.62.36:7001/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.62.36:9000/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.140.20.239:5555/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.108.52.84:6666/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.19.240:888/api/sortbyname | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.155.75.156:8111/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://secureservices.fun:4443/jp.css | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.134.122.165:8099/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://121.40.174.104/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://42.192.16.196:9998/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://106.14.75.240:8099/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://msedgesupport.azureedge.net/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.153.206.194:1111/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://dl.whatsong.ir/?id=9nznwuzm4ejoiumepn3xlxwamjclisgch5czl52zpn3x3qjnwuhx3ijnwuhxxmjnwuhxjbdmyuhxkbdmyuhx1qjnwuhxjbdmyuhxkbdmyuhx3qjnwuhxgemm2atdcngmwitdcrgmwitdcrdn2atdcdjm2atdczmm2atdcngmwitdcrgmwitdclzm2atdcjioiuwbh52xlxwamjcliekq2n2ui50csjvwklmuszuqb52zzfuqbj1ddfuqkltaq1saxj2xqf1xav0swaztxdttjf0mutmqoxmsffuqctgebfuunf0qbflqiojikl2xlxwamjye | IRATA payload delivery URL (confidence level: 100%) | |
urlhttp://alterswager.org/8bmevwqx/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttps://8.142.69.99/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://39.152.39.205:8087/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://1.13.180.191:6443/verifycode | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://8.137.97.92:1000/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-dxka5ebo-1306407718.gz.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://23.224.61.71/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://121.5.134.64/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://119.96.110.41:4444/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://lumsguttenberg.com/design/query/9x5m3soe0f | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.154.3:6443/qluk | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://119.13.90.176:9000/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://api.upgrad3.cc/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://87.120.88.85:8081/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://partnergroup.vn/pony/paneltwotwo/gate.php | Pony botnet C2 (confidence level: 100%) | |
urlhttp://175.178.17.166:1025/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://81.71.137.243/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://69.165.70.101:8099/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://vikselr4.beget.tech/serverbaseflower.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://114.132.243.226/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://34.92.14.229:8080/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://167.172.1.42:9001/c/msdownload/update/others/2020/10/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://114.132.74.172/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://121.37.163.196:8888/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file187.170.150.119 | QakBot botnet C2 server (confidence level: 50%) | |
file18.229.248.167 | NjRAT botnet C2 server (confidence level: 100%) | |
file54.94.248.37 | NjRAT botnet C2 server (confidence level: 100%) | |
file18.231.93.153 | NjRAT botnet C2 server (confidence level: 100%) | |
file151.213.67.195 | QakBot botnet C2 server (confidence level: 50%) | |
file142.188.91.223 | QakBot botnet C2 server (confidence level: 50%) | |
file102.157.55.91 | QakBot botnet C2 server (confidence level: 50%) | |
file209.25.141.212 | NjRAT botnet C2 server (confidence level: 100%) | |
file185.102.174.109 | Mirai botnet C2 server (confidence level: 75%) | |
file45.132.241.71 | Mirai botnet C2 server (confidence level: 75%) | |
file158.160.69.66 | Unknown malware botnet C2 server (confidence level: 50%) | |
file16.171.43.215 | Unknown malware botnet C2 server (confidence level: 50%) | |
file104.238.35.112 | BianLian botnet C2 server (confidence level: 50%) | |
file85.206.172.192 | Havoc botnet C2 server (confidence level: 50%) | |
file190.135.209.12 | Havoc botnet C2 server (confidence level: 50%) | |
file172.190.188.163 | Responder botnet C2 server (confidence level: 50%) | |
file62.10.74.218 | Responder botnet C2 server (confidence level: 50%) | |
file62.10.74.218 | Responder botnet C2 server (confidence level: 50%) | |
file3.137.106.230 | Responder botnet C2 server (confidence level: 50%) | |
file3.22.216.255 | Responder botnet C2 server (confidence level: 50%) | |
file159.65.235.56 | DCRat botnet C2 server (confidence level: 50%) | |
file45.87.153.148 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file39.100.75.193 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file35.164.156.232 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file64.176.44.244 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file82.156.225.16 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file119.91.31.246 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.39.78.166 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file111.230.194.172 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file197.0.88.92 | QakBot botnet C2 server (confidence level: 50%) | |
file217.165.14.150 | QakBot botnet C2 server (confidence level: 50%) | |
file179.43.155.209 | Mirai botnet C2 server (confidence level: 75%) | |
file91.109.178.10 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file62.233.57.213 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file121.40.174.104 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file20.51.234.154 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.222.144.23 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file61.136.208.3 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file49.4.24.255 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.142.69.99 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.224.61.71 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file121.5.134.64 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file193.239.85.12 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.248.96.105 | BumbleBee botnet C2 server (confidence level: 75%) | |
file3.67.161.133 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.67.62.142 | NjRAT botnet C2 server (confidence level: 100%) | |
file18.158.58.205 | NjRAT botnet C2 server (confidence level: 100%) | |
file43.138.154.3 | Meterpreter botnet C2 server (confidence level: 100%) | |
file105.157.111.71 | QakBot botnet C2 server (confidence level: 50%) | |
file164.92.240.184 | Unknown malware botnet C2 server (confidence level: 50%) | |
file167.71.15.25 | BianLian botnet C2 server (confidence level: 50%) | |
file44.203.114.48 | Havoc botnet C2 server (confidence level: 50%) | |
file20.223.231.108 | Responder botnet C2 server (confidence level: 50%) | |
file139.177.193.144 | Responder botnet C2 server (confidence level: 50%) | |
file139.177.193.144 | Responder botnet C2 server (confidence level: 50%) | |
file18.221.36.131 | Responder botnet C2 server (confidence level: 50%) | |
file3.20.179.134 | Responder botnet C2 server (confidence level: 50%) | |
file3.137.106.230 | Responder botnet C2 server (confidence level: 50%) | |
file18.116.0.119 | Responder botnet C2 server (confidence level: 50%) | |
file3.14.171.147 | Responder botnet C2 server (confidence level: 50%) | |
file185.241.208.121 | DCRat botnet C2 server (confidence level: 50%) | |
file185.17.0.201 | Mirai botnet C2 server (confidence level: 75%) | |
file104.223.91.190 | BitRAT botnet C2 server (confidence level: 100%) | |
file162.14.107.218 | Meterpreter botnet C2 server (confidence level: 100%) | |
file83.97.73.134 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file168.100.8.203 | IcedID botnet C2 server (confidence level: 75%) | |
file185.157.120.4 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file5.154.181.70 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file109.107.173.48 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file114.132.243.226 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file165.22.186.220 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file114.132.74.172 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file77.246.110.195 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash13904 | NjRAT botnet C2 server (confidence level: 100%) | |
hash13904 | NjRAT botnet C2 server (confidence level: 100%) | |
hash13904 | NjRAT botnet C2 server (confidence level: 100%) | |
hash995 | QakBot botnet C2 server (confidence level: 50%) | |
hash2222 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash16694 | NjRAT botnet C2 server (confidence level: 100%) | |
hash5434 | Mirai botnet C2 server (confidence level: 75%) | |
hash721 | Mirai botnet C2 server (confidence level: 75%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash3543 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash5986 | Responder botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash6666 | DCRat botnet C2 server (confidence level: 50%) | |
hash36079 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash8769 | Mirai botnet C2 server (confidence level: 75%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash4443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7cb31ca2433ca9061843408b8959d02989530f9077dd5142441067ce5418536c | IRATA payload (confidence level: 100%) | |
hashdd085098a1ac3d191e0747e717e986c4 | IRATA payload (confidence level: 100%) | |
hash12510 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash86 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8023 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash13226 | NjRAT botnet C2 server (confidence level: 100%) | |
hash13226 | NjRAT botnet C2 server (confidence level: 100%) | |
hash13226 | NjRAT botnet C2 server (confidence level: 100%) | |
hash6443 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash4443 | Havoc botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash9898 | DCRat botnet C2 server (confidence level: 50%) | |
hash1312 | Mirai botnet C2 server (confidence level: 75%) | |
hash1234 | BitRAT botnet C2 server (confidence level: 100%) | |
hash65003 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash19071 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | IcedID botnet C2 server (confidence level: 75%) | |
hash17355 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash25678 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9001 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8599 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainapiv4.unemployment-compensation.org | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainmobile.opposrv.top | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincas.opposrv.top | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainvitagees.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainsecureservices.fun | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainmsedgesupport.azureedge.net | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaindl.whatsong.ir | IRATA payload delivery domain (confidence level: 100%) | |
domainservice-dxka5ebo-1306407718.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainlumsguttenberg.com | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Threat ID: 682c7abde3e6de8ceb754421
Added to database: 5/20/2025, 12:51:09 PM
Last enriched: 6/19/2025, 1:04:50 PM
Last updated: 8/16/2025, 1:28:26 AM
Views: 12
Related Threats
Scammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
Medium'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumKawabunga, Dude, You've Been Ransomed!
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.