ThreatFox IOCs for 2023-07-05
Severity: mediumType: malware
ThreatFox IOCs for 2023-07-05
AI Analysis
Technical Summary
The provided threat information pertains to a malware-related intelligence report titled "ThreatFox IOCs for 2023-07-05," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence. The report is categorized under "type:osint," indicating it primarily involves open-source intelligence data rather than a specific malware family or exploit. There are no affected product versions or specific vulnerabilities listed, and no known exploits in the wild have been reported. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination or awareness of the threat. The absence of concrete IOCs, CWE identifiers, or patch links implies that this report serves more as a situational awareness update rather than detailing an active or emerging exploit. The medium severity classification likely reflects the potential risk posed by the malware category in general, rather than a specific, high-impact threat. Given the lack of detailed technical indicators, the threat appears to be in an early or observational phase, with limited actionable intelligence for immediate defensive measures.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the absence of known exploits and specific affected systems. However, as the report relates to malware and OSINT data, there is a potential risk that adversaries could leverage the shared intelligence to craft targeted attacks or reconnaissance activities. Organizations involved in critical infrastructure, finance, or government sectors might face increased exposure if threat actors use these IOCs to identify vulnerabilities or plan intrusion campaigns. The medium severity suggests that while immediate disruption or data compromise is unlikely, vigilance is warranted to prevent escalation. The lack of detailed indicators means that detection and response capabilities may not be directly enhanced by this report, potentially delaying identification of related malicious activities. Overall, the threat's impact is more strategic and preparatory rather than operational at this stage.
Mitigation Recommendations
Given the limited technical details, European organizations should focus on enhancing their threat intelligence integration and proactive monitoring capabilities. Specific recommendations include: 1) Incorporate ThreatFox and similar OSINT feeds into Security Information and Event Management (SIEM) systems to correlate any emerging indicators with internal logs. 2) Conduct regular threat hunting exercises focusing on malware behaviors consistent with the medium severity classification, even in the absence of explicit IOCs. 3) Maintain up-to-date endpoint detection and response (EDR) tools configured to detect anomalous activities typical of malware infections. 4) Engage in information sharing with sector-specific Computer Security Incident Response Teams (CSIRTs) to stay informed about evolving threats. 5) Train security teams to recognize early signs of reconnaissance or low-level malware activity that could precede more significant attacks. These measures go beyond generic advice by emphasizing integration of OSINT feeds and proactive threat hunting tailored to the current intelligence context.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- url: http://193.27.90.104/
- url: http://193.27.90.104/gipica.zip
- file: 185.252.179.190
- hash: 42069
- url: http://172.86.70.117/94ed4bf54583a4fa.php
- url: https://vnet.keshant.com:8443/api/3
- file: 23.106.140.90
- hash: 8443
- file: 187.211.118.225
- hash: 443
- file: 70.177.91.236
- hash: 443
- url: http://161.35.102.56/~nikol/?p=3702260915
- file: 194.233.175.76
- hash: 3778
- url: http://138.68.56.139/?p=370764885722297
- file: 190.134.54.109
- hash: 995
- url: http://45.15.159.188/f2cb651e3e755a0f.php
- file: 104.243.47.45
- hash: 5230
- url: http://185.246.220.60/official/five/fre.php
- file: 103.82.25.131
- hash: 31337
- file: 5.181.80.102
- hash: 7267
- file: 190.211.252.50
- hash: 4277
- file: 134.122.121.18
- hash: 8888
- file: 134.122.121.18
- hash: 443
- file: 134.122.121.18
- hash: 31337
- file: 116.62.139.1
- hash: 31337
- file: 116.62.139.1
- hash: 8000
- file: 52.147.196.140
- hash: 443
- file: 78.57.231.58
- hash: 80
- file: 46.44.62.227
- hash: 5985
- file: 165.22.57.138
- hash: 80
- file: 165.22.57.138
- hash: 443
- file: 104.238.60.31
- hash: 80
- file: 104.238.60.31
- hash: 443
- file: 167.114.115.246
- hash: 445
- file: 37.187.222.230
- hash: 8848
- url: https://t.me/iseepass
- url: http://142.132.230.215/
- url: http://142.132.230.215/upload.zip
- file: 142.132.230.215
- hash: 80
- file: 193.27.90.104
- hash: 80
- file: 173.44.141.47
- hash: 443
- file: 173.44.141.237
- hash: 80
- domain: 173-44-141-47.nip.io
- url: https://173-44-141-47.nip.io/2fa0ce
- hash: 44ba46dfff78bc62a3b2619d308ca40c
- domain: elbendito.con-ip.com
- url: http://171.22.30.147/ksize/five/fre.php
- domain: bts.korpop.top
- url: http://97528733.clmonth.whiteproducts.ru/whiteproducts.php
- url: http://91.215.85.166/_/scs/mail-static/_/js/
- file: 91.215.85.166
- hash: 80
- url: https://91.215.85.166/_/scs/mail-static/_/js/
- file: 91.215.85.166
- hash: 443
- url: http://119.91.195.178:2053/www/handle/doc
- url: http://43.138.198.123:443/jquery-3.3.1.min.js
- url: http://43.138.198.123:443/jquery-3.3.2.slim.min.js
- url: http://114.132.190.7:80/introduction/edr
- url: http://591.cdn-vod.huaweicloud.com:443/dist/css/bootstrap.min.css
- file: 117.215.23.20
- hash: 993
- file: 103.211.63.108
- hash: 443
- file: 74.12.147.112
- hash: 2083
- url: https://www.muenchner-finanzhlife.com/owa/
- domain: www.muenchner-finanzhlife.com
- url: https://101.43.215.118/visit.js
- url: http://47.108.218.63:81/match
- url: http://43.140.199.178:8086/activity
- url: https://101.43.129.115/pixel.gif
- url: http://47.242.0.207:9999/cm
- url: http://47.242.0.207:8080/g.pixel
- url: https://123.234.2.86/reactivate/encryption/lkpfsfmbp
- url: https://122.246.22.237/reactivate/encryption/lkpfsfmbp
- url: https://1.62.64.92/reactivate/encryption/lkpfsfmbp
- url: https://58.221.30.105/reactivate/encryption/lkpfsfmbp
- url: http://5.75.208.184:27016/
- url: http://116.203.14.106/
- url: http://5.75.208.184:27016/get.zip
- url: http://116.203.14.106/get.zip
- file: 116.203.14.106
- hash: 80
- file: 5.75.208.184
- hash: 27016
- url: https://47.92.97.171:8443/updates.rss
- domain: ns1.dnslive.top
- domain: ns2.dnslive.top
- file: 198.44.169.19
- hash: 53
- domain: peace.winexmarkets11.com
- file: 54.226.51.227
- hash: 53
- domain: data.microsoft-cloud-upload.com
- file: 123.60.84.194
- hash: 53
- file: 54.196.194.166
- hash: 53
- file: 54.226.3.99
- hash: 53
- domain: guest.grovedentalpractice.com
- file: 18.116.33.255
- hash: 53
- url: http://175.178.213.59/__utm.gif
- url: http://124.221.76.197/ptj
- url: http://101.43.129.115:90/__utm.gif
- file: 8.136.201.3
- hash: 81
- file: 105.184.83.161
- hash: 995
- file: 161.142.96.70
- hash: 995
- domain: delideta.com
- url: http://37.46.129.39/default4/_apilongpollwp/dumplinux/eternalpollasynclow/79updatemariadb/cdnphpdatalife7/wp/javascriptasyncserver/vmjavascriptprotectpublic.php
- file: 201.143.134.220
- hash: 443
- domain: service.coffeeplato.com
- file: 44.201.147.83
- hash: 53
- file: 1.14.127.220
- hash: 3389
- file: 77.246.99.131
- hash: 3726
- url: http://service-cufhwy32-1317863896.gz.apigw.tencentcs.com/api/getit
- domain: service-cufhwy32-1317863896.gz.apigw.tencentcs.com
- file: 43.138.212.90
- hash: 80
- url: https://38.147.172.79:10443/api/check
- url: http://117.50.174.131:7777/api/x
- url: http://114.132.79.194:5555/activity
- domain: mofagov.live
- domain: mofagov.info
- url: http://nuevogomelove.webredirect.org/googledocs.txt
- domain: nuevogomelove.webredirect.org
- domain: catrinavc.shop
- file: 158.69.110.219
- hash: 9002
- file: 137.135.127.65
- hash: 5603
- hash: e355f48c3ed7ee1ee13c65ca592f911a
- file: 121.36.225.82
- hash: 100
- url: http://85.175.101.203/en_us/all.js
- url: http://87.121.221.212/prosperzx.doc
- file: 89.36.206.3
- hash: 995
- file: 113.193.166.107
- hash: 443
- url: http://43.139.136.224/en_us/all.js
- url: http://167.172.1.42:8086/c/msdownload/update/others/2016/12/29136388_
- url: http://119.13.90.176:9000/pixel
- url: http://167.172.1.42:8088/c/msdownload/update/others/2016/12/29136388_
- url: http://167.172.1.42:8084/c/msdownload/update/others/2016/12/29136388_
- url: http://167.172.1.42:9001/c/msdownload/update/others/2016/12/29136388_
- url: https://service-qke82nt8-1301348154.gz.apigw.tencentcs.com/activity
- url: https://101.43.129.115/updates.rss
- url: http://167.172.1.42:8085/c/msdownload/update/others/2016/12/29136388_
- url: http://81.71.137.243/ie9compatviewlist.xml
- domain: tat.secretcms.top
- url: http://123.57.174.182:8888/ca
- url: http://47.108.218.63:81/load
- url: http://154.221.17.44:2090/dot.gif
- url: http://94.142.138.168/
- url: http://1.14.63.190:8999/pixel
- url: http://39.107.70.26:8888/pixel.gif
- url: http://tthre3sr.top/zip.php
- file: 45.15.156.21
- hash: 15863
- hash: 2b15e141363e6f69a48e45b8ecb92176
- hash: d35a9ab04a246de36b5f37b1b98dfe2f
- hash: b3bcae51f0976c9716fd82503c1692b6
- hash: dbd5903b3044965d708aec5c54a5e680
- hash: b7ac63896066c386b66e5e27805c277a
- hash: 3855f8e6e4c41f8b0833ecee70f5cb37
- hash: a7067de7145a86d787c4f1a0e652c093
- hash: 889017305bc03aed07e8c62a1ed02d03
- file: 5.42.87.102
- hash: 45
- file: 103.172.227.110
- hash: 443
- file: 116.75.63.252
- hash: 443
- file: 74.12.147.211
- hash: 2083
- file: 77.91.68.70
- hash: 19073
- file: 87.121.221.53
- hash: 6606
- file: 87.121.221.53
- hash: 7707
- file: 87.121.221.53
- hash: 8808
- file: 197.204.60.154
- hash: 443
- file: 39.40.228.232
- hash: 995
- file: 103.166.185.17
- hash: 3778
- file: 37.1.220.35
- hash: 80
- file: 104.238.60.31
- hash: 5985
- file: 139.84.172.30
- hash: 443
- file: 41.147.196.64
- hash: 80
- file: 74.12.147.211
- hash: 2222
- file: 193.149.129.87
- hash: 443
- file: 45.144.178.236
- hash: 443
- file: 115.236.153.170
- hash: 11302
- file: 59.88.166.218
- hash: 993
- file: 85.175.101.203
- hash: 53
- url: https://cins.hin7lostvas.pro/groupcp.css
- file: 103.57.228.100
- hash: 443
- file: 185.234.114.92
- hash: 8080
- url: http://service-cufhwy32-1317863896.gz.apigw.tencentcs.com:801/api/getit
- file: 43.138.212.90
- hash: 801
- url: http://43.136.173.81:8080/fwlink
- url: http://43.131.242.233/pixel.gif
- file: 43.131.242.233
- hash: 80
- url: http://43.139.140.135/match
- file: 43.139.140.135
- hash: 80
- url: http://34.223.254.65/zomgapt
- file: 34.223.254.65
- hash: 80
- url: http://139.9.151.71:8081/en_us/all.js
- url: http://www.windowupdates.one:2082/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- domain: www.windowupdates.one
- file: 45.77.92.21
- hash: 2082
- url: https://116.63.140.226/sugrec
- file: 116.63.140.226
- hash: 443
- url: https://176.113.115.145/updates.rss
- file: 176.113.115.145
- hash: 443
- url: http://59.110.215.128/dot.gif
- file: 59.110.215.128
- hash: 80
- url: http://114.132.226.154:12348/api/getit
- url: http://111.231.28.170:8099/ca
- url: http://185.225.74.182:4444/dot.gif
- url: http://38.54.87.125:8080/us/ky/louisville/312-s-fourth-st.html
- url: http://81.70.0.37:8888/visit.js
- file: 180.76.164.197
- hash: 80
- url: https://154.37.153.88/updates.rss
- file: 154.37.153.88
- hash: 443
- url: http://101.43.249.151:3083/updates.rss
- url: http://43.136.14.250/pixel
- file: 43.136.14.250
- hash: 80
- url: http://176.113.115.145/fwlink
- file: 176.113.115.145
- hash: 80
- url: http://110.41.162.116:10086/ie9compatviewlist.xml
- url: http://198.98.52.184:20001/load
- url: http://39.104.81.101:7005/cx
ThreatFox IOCs for 2023-07-05
Medium
Published: Wed Jul 05 2023 (07/05/2023, 00:00:00 UTC)
Source: ThreatFox
Vendor/Project: type
Product: osint
Description
ThreatFox IOCs for 2023-07-05
AI-Powered Analysis
AILast updated: 06/19/2025, 13:31:51 UTC
Technical Analysis
The provided threat information pertains to a malware-related intelligence report titled "ThreatFox IOCs for 2023-07-05," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence. The report is categorized under "type:osint," indicating it primarily involves open-source intelligence data rather than a specific malware family or exploit. There are no affected product versions or specific vulnerabilities listed, and no known exploits in the wild have been reported. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination or awareness of the threat. The absence of concrete IOCs, CWE identifiers, or patch links implies that this report serves more as a situational awareness update rather than detailing an active or emerging exploit. The medium severity classification likely reflects the potential risk posed by the malware category in general, rather than a specific, high-impact threat. Given the lack of detailed technical indicators, the threat appears to be in an early or observational phase, with limited actionable intelligence for immediate defensive measures.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the absence of known exploits and specific affected systems. However, as the report relates to malware and OSINT data, there is a potential risk that adversaries could leverage the shared intelligence to craft targeted attacks or reconnaissance activities. Organizations involved in critical infrastructure, finance, or government sectors might face increased exposure if threat actors use these IOCs to identify vulnerabilities or plan intrusion campaigns. The medium severity suggests that while immediate disruption or data compromise is unlikely, vigilance is warranted to prevent escalation. The lack of detailed indicators means that detection and response capabilities may not be directly enhanced by this report, potentially delaying identification of related malicious activities. Overall, the threat's impact is more strategic and preparatory rather than operational at this stage.
Mitigation Recommendations
Given the limited technical details, European organizations should focus on enhancing their threat intelligence integration and proactive monitoring capabilities. Specific recommendations include: 1) Incorporate ThreatFox and similar OSINT feeds into Security Information and Event Management (SIEM) systems to correlate any emerging indicators with internal logs. 2) Conduct regular threat hunting exercises focusing on malware behaviors consistent with the medium severity classification, even in the absence of explicit IOCs. 3) Maintain up-to-date endpoint detection and response (EDR) tools configured to detect anomalous activities typical of malware infections. 4) Engage in information sharing with sector-specific Computer Security Incident Response Teams (CSIRTs) to stay informed about evolving threats. 5) Train security teams to recognize early signs of reconnaissance or low-level malware activity that could precede more significant attacks. These measures go beyond generic advice by emphasizing integration of OSINT feeds and proactive threat hunting tailored to the current intelligence context.
Affected Countries
Need more detailed analysis?Get Pro
Pro Feature
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- eea85a5e-4e88-442a-afc8-e5bf13389f29
- Original Timestamp
- 1688601787
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://193.27.90.104/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://193.27.90.104/gipica.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://172.86.70.117/94ed4bf54583a4fa.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttps://vnet.keshant.com:8443/api/3 | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://161.35.102.56/~nikol/?p=3702260915 | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttp://138.68.56.139/?p=370764885722297 | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttp://45.15.159.188/f2cb651e3e755a0f.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://185.246.220.60/official/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttps://t.me/iseepass | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.230.215/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://142.132.230.215/upload.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://173-44-141-47.nip.io/2fa0ce | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://171.22.30.147/ksize/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://97528733.clmonth.whiteproducts.ru/whiteproducts.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://91.215.85.166/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://91.215.85.166/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://119.91.195.178:2053/www/handle/doc | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://43.138.198.123:443/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://43.138.198.123:443/jquery-3.3.2.slim.min.js | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://114.132.190.7:80/introduction/edr | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://591.cdn-vod.huaweicloud.com:443/dist/css/bootstrap.min.css | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttps://www.muenchner-finanzhlife.com/owa/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.43.215.118/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.108.218.63:81/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.140.199.178:8086/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.43.129.115/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.242.0.207:9999/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.242.0.207:8080/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://123.234.2.86/reactivate/encryption/lkpfsfmbp | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://122.246.22.237/reactivate/encryption/lkpfsfmbp | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://1.62.64.92/reactivate/encryption/lkpfsfmbp | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://58.221.30.105/reactivate/encryption/lkpfsfmbp | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://5.75.208.184:27016/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.203.14.106/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://5.75.208.184:27016/get.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.203.14.106/get.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://47.92.97.171:8443/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://175.178.213.59/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.221.76.197/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.129.115:90/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://37.46.129.39/default4/_apilongpollwp/dumplinux/eternalpollasynclow/79updatemariadb/cdnphpdatalife7/wp/javascriptasyncserver/vmjavascriptprotectpublic.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://service-cufhwy32-1317863896.gz.apigw.tencentcs.com/api/getit | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://38.147.172.79:10443/api/check | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://117.50.174.131:7777/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://114.132.79.194:5555/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://nuevogomelove.webredirect.org/googledocs.txt | Mekotio botnet C2 (confidence level: 100%) | |
urlhttp://85.175.101.203/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://87.121.221.212/prosperzx.doc | Agent Tesla payload delivery URL (confidence level: 100%) | |
urlhttp://43.139.136.224/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://167.172.1.42:8086/c/msdownload/update/others/2016/12/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://119.13.90.176:9000/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://167.172.1.42:8088/c/msdownload/update/others/2016/12/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://167.172.1.42:8084/c/msdownload/update/others/2016/12/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://167.172.1.42:9001/c/msdownload/update/others/2016/12/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-qke82nt8-1301348154.gz.apigw.tencentcs.com/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.43.129.115/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://167.172.1.42:8085/c/msdownload/update/others/2016/12/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://81.71.137.243/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://123.57.174.182:8888/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.108.218.63:81/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://154.221.17.44:2090/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://94.142.138.168/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://1.14.63.190:8999/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://39.107.70.26:8888/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://tthre3sr.top/zip.php | CryptBot botnet C2 (confidence level: 100%) | |
urlhttps://cins.hin7lostvas.pro/groupcp.css | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-cufhwy32-1317863896.gz.apigw.tencentcs.com:801/api/getit | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.136.173.81:8080/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.131.242.233/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.139.140.135/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://34.223.254.65/zomgapt | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.9.151.71:8081/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://www.windowupdates.one:2082/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://116.63.140.226/sugrec | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://176.113.115.145/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://59.110.215.128/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://114.132.226.154:12348/api/getit | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://111.231.28.170:8099/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://185.225.74.182:4444/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://38.54.87.125:8080/us/ky/louisville/312-s-fourth-st.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://81.70.0.37:8888/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://154.37.153.88/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.249.151:3083/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.136.14.250/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://176.113.115.145/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://110.41.162.116:10086/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://198.98.52.184:20001/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://39.104.81.101:7005/cx | Cobalt Strike botnet C2 (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file185.252.179.190 | Mirai botnet C2 server (confidence level: 75%) | |
file23.106.140.90 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file187.211.118.225 | QakBot botnet C2 server (confidence level: 50%) | |
file70.177.91.236 | QakBot botnet C2 server (confidence level: 50%) | |
file194.233.175.76 | Mirai botnet C2 server (confidence level: 75%) | |
file190.134.54.109 | QakBot botnet C2 server (confidence level: 50%) | |
file104.243.47.45 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file103.82.25.131 | Bashlite botnet C2 server (confidence level: 75%) | |
file5.181.80.102 | Bashlite botnet C2 server (confidence level: 75%) | |
file190.211.252.50 | Mirai botnet C2 server (confidence level: 75%) | |
file134.122.121.18 | Sliver botnet C2 server (confidence level: 50%) | |
file134.122.121.18 | Sliver botnet C2 server (confidence level: 50%) | |
file134.122.121.18 | Sliver botnet C2 server (confidence level: 50%) | |
file116.62.139.1 | Sliver botnet C2 server (confidence level: 50%) | |
file116.62.139.1 | Sliver botnet C2 server (confidence level: 50%) | |
file52.147.196.140 | Havoc botnet C2 server (confidence level: 50%) | |
file78.57.231.58 | Responder botnet C2 server (confidence level: 50%) | |
file46.44.62.227 | Responder botnet C2 server (confidence level: 50%) | |
file165.22.57.138 | Responder botnet C2 server (confidence level: 50%) | |
file165.22.57.138 | Responder botnet C2 server (confidence level: 50%) | |
file104.238.60.31 | Responder botnet C2 server (confidence level: 50%) | |
file104.238.60.31 | Responder botnet C2 server (confidence level: 50%) | |
file167.114.115.246 | Responder botnet C2 server (confidence level: 50%) | |
file37.187.222.230 | DCRat botnet C2 server (confidence level: 50%) | |
file142.132.230.215 | Vidar botnet C2 server (confidence level: 100%) | |
file193.27.90.104 | Vidar botnet C2 server (confidence level: 100%) | |
file173.44.141.47 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file173.44.141.237 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file91.215.85.166 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file91.215.85.166 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file117.215.23.20 | QakBot botnet C2 server (confidence level: 50%) | |
file103.211.63.108 | QakBot botnet C2 server (confidence level: 50%) | |
file74.12.147.112 | QakBot botnet C2 server (confidence level: 50%) | |
file116.203.14.106 | Vidar botnet C2 server (confidence level: 100%) | |
file5.75.208.184 | Vidar botnet C2 server (confidence level: 100%) | |
file198.44.169.19 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file54.226.51.227 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.60.84.194 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file54.196.194.166 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file54.226.3.99 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file18.116.33.255 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.136.201.3 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file105.184.83.161 | QakBot botnet C2 server (confidence level: 50%) | |
file161.142.96.70 | QakBot botnet C2 server (confidence level: 50%) | |
file201.143.134.220 | QakBot botnet C2 server (confidence level: 50%) | |
file44.201.147.83 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.14.127.220 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file77.246.99.131 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file43.138.212.90 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file158.69.110.219 | Mekotio botnet C2 server (confidence level: 75%) | |
file137.135.127.65 | Mekotio botnet C2 server (confidence level: 75%) | |
file121.36.225.82 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file89.36.206.3 | QakBot botnet C2 server (confidence level: 50%) | |
file113.193.166.107 | QakBot botnet C2 server (confidence level: 50%) | |
file45.15.156.21 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file5.42.87.102 | Mirai botnet C2 server (confidence level: 75%) | |
file103.172.227.110 | QakBot botnet C2 server (confidence level: 50%) | |
file116.75.63.252 | QakBot botnet C2 server (confidence level: 50%) | |
file74.12.147.211 | QakBot botnet C2 server (confidence level: 50%) | |
file77.91.68.70 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file87.121.221.53 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file87.121.221.53 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file87.121.221.53 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file197.204.60.154 | QakBot botnet C2 server (confidence level: 50%) | |
file39.40.228.232 | QakBot botnet C2 server (confidence level: 50%) | |
file103.166.185.17 | Mirai botnet C2 server (confidence level: 75%) | |
file37.1.220.35 | BianLian botnet C2 server (confidence level: 50%) | |
file104.238.60.31 | Responder botnet C2 server (confidence level: 50%) | |
file139.84.172.30 | pupy botnet C2 server (confidence level: 50%) | |
file41.147.196.64 | pupy botnet C2 server (confidence level: 50%) | |
file74.12.147.211 | QakBot botnet C2 server (confidence level: 50%) | |
file193.149.129.87 | IcedID botnet C2 server (confidence level: 75%) | |
file45.144.178.236 | IcedID botnet C2 server (confidence level: 75%) | |
file115.236.153.170 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file59.88.166.218 | QakBot botnet C2 server (confidence level: 50%) | |
file85.175.101.203 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.57.228.100 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.234.114.92 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.138.212.90 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.131.242.233 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.139.140.135 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file34.223.254.65 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.77.92.21 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file116.63.140.226 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file176.113.115.145 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file59.110.215.128 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file180.76.164.197 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.37.153.88 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.136.14.250 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file176.113.115.145 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash42069 | Mirai botnet C2 server (confidence level: 75%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash3778 | Mirai botnet C2 server (confidence level: 75%) | |
hash995 | QakBot botnet C2 server (confidence level: 50%) | |
hash5230 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash31337 | Bashlite botnet C2 server (confidence level: 75%) | |
hash7267 | Bashlite botnet C2 server (confidence level: 75%) | |
hash4277 | Mirai botnet C2 server (confidence level: 75%) | |
hash8888 | Sliver botnet C2 server (confidence level: 50%) | |
hash443 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash8000 | Sliver botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash8848 | DCRat botnet C2 server (confidence level: 50%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash44ba46dfff78bc62a3b2619d308ca40c | RokRAT payload (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash993 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash2083 | QakBot botnet C2 server (confidence level: 50%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash27016 | Vidar botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash81 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash995 | QakBot botnet C2 server (confidence level: 50%) | |
hash995 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash3389 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash3726 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9002 | Mekotio botnet C2 server (confidence level: 75%) | |
hash5603 | Mekotio botnet C2 server (confidence level: 75%) | |
hashe355f48c3ed7ee1ee13c65ca592f911a | DUCKTAIL payload (confidence level: 100%) | |
hash100 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash995 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash15863 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash2b15e141363e6f69a48e45b8ecb92176 | Unknown malware payload (confidence level: 100%) | |
hashd35a9ab04a246de36b5f37b1b98dfe2f | Unknown malware payload (confidence level: 100%) | |
hashb3bcae51f0976c9716fd82503c1692b6 | Unknown malware payload (confidence level: 100%) | |
hashdbd5903b3044965d708aec5c54a5e680 | Unknown malware payload (confidence level: 100%) | |
hashb7ac63896066c386b66e5e27805c277a | Unknown malware payload (confidence level: 100%) | |
hash3855f8e6e4c41f8b0833ecee70f5cb37 | Unknown malware payload (confidence level: 100%) | |
hasha7067de7145a86d787c4f1a0e652c093 | Unknown malware payload (confidence level: 100%) | |
hash889017305bc03aed07e8c62a1ed02d03 | Unknown malware payload (confidence level: 100%) | |
hash45 | Mirai botnet C2 server (confidence level: 75%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash2083 | QakBot botnet C2 server (confidence level: 50%) | |
hash19073 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash995 | QakBot botnet C2 server (confidence level: 50%) | |
hash3778 | Mirai botnet C2 server (confidence level: 75%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | pupy botnet C2 server (confidence level: 50%) | |
hash80 | pupy botnet C2 server (confidence level: 50%) | |
hash2222 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | IcedID botnet C2 server (confidence level: 75%) | |
hash443 | IcedID botnet C2 server (confidence level: 75%) | |
hash11302 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash993 | QakBot botnet C2 server (confidence level: 50%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash801 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2082 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domain173-44-141-47.nip.io | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainelbendito.con-ip.com | Remcos botnet C2 domain (confidence level: 100%) | |
domainbts.korpop.top | RedLine Stealer botnet C2 domain (confidence level: 100%) | |
domainwww.muenchner-finanzhlife.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns1.dnslive.top | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns2.dnslive.top | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainpeace.winexmarkets11.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaindata.microsoft-cloud-upload.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainguest.grovedentalpractice.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaindelideta.com | ISFB botnet C2 domain (confidence level: 100%) | |
domainservice.coffeeplato.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-cufhwy32-1317863896.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainmofagov.live | SideWinder botnet C2 domain (confidence level: 50%) | |
domainmofagov.info | SideWinder botnet C2 domain (confidence level: 50%) | |
domainnuevogomelove.webredirect.org | Mekotio botnet C2 domain (confidence level: 100%) | |
domaincatrinavc.shop | Mekotio botnet C2 domain (confidence level: 100%) | |
domaintat.secretcms.top | RedLine Stealer botnet C2 domain (confidence level: 100%) | |
domainwww.windowupdates.one | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Threat ID: 682c7abfe3e6de8ceb75ed7d
Added to database: 5/20/2025, 12:51:11 PM
Last enriched: 6/19/2025, 1:31:51 PM
Last updated: 7/31/2025, 12:17:42 AM
Views: 6
Related Threats
ThreatFox IOCs for 2025-08-15
MediumMalwareSat Aug 16 2025
Threat Actor Profile: Interlock Ransomware
MediumMalwareFri Aug 15 2025
'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumMalwareFri Aug 15 2025
Kawabunga, Dude, You've Been Ransomed!
MediumMalwareFri Aug 15 2025
ERMAC V3.0 Banking Trojan: Full Source Code Leak and Infrastructure Analysis
MediumMalwareFri Aug 15 2025
Actions
PRO
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Please log in to the Console to use AI analysis features.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.