ThreatFox IOCs for 2023-09-04
ThreatFox IOCs for 2023-09-04
AI Analysis
Technical Summary
The provided threat intelligence concerns a malware-related report titled "ThreatFox IOCs for 2023-09-04," sourced from ThreatFox, a platform specializing in sharing Indicators of Compromise (IOCs) and threat intelligence data. The report is categorized under "type:osint," indicating it primarily involves open-source intelligence data rather than a specific malware family or exploit. No specific affected software versions, vulnerabilities, or detailed technical indicators are provided, and there are no known exploits in the wild associated with this threat at the time of publication. The threat level is rated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting limited analytical depth but a moderate distribution or presence in the wild. The absence of CWEs, patch links, or detailed technical descriptions implies that this report serves more as an informational update or a collection of IOCs rather than a direct alert about an active or emerging exploit. The medium severity rating reflects a cautious stance, acknowledging potential risks without concrete evidence of widespread impact or exploitation. Overall, this threat intelligence appears to be a situational awareness update rather than a critical or immediate threat, emphasizing the importance of monitoring and preparedness rather than urgent remediation.
Potential Impact
Given the lack of specific technical details, affected products, or known exploits, the direct impact on European organizations is currently limited. However, the distribution score of 3 indicates that the malware or associated IOCs may be moderately present or circulating, which could pose risks if leveraged in targeted attacks. European organizations relying on open-source intelligence tools or platforms similar to ThreatFox might encounter these IOCs during threat hunting or incident response activities. The medium severity suggests potential confidentiality, integrity, or availability concerns if the malware were to be deployed effectively, but no immediate widespread compromise is evident. The absence of authentication or user interaction details limits the ability to assess exploitation ease, but the general nature of OSINT-related malware implies that attacks could be opportunistic or part of broader reconnaissance efforts. Consequently, European entities should remain vigilant, particularly those in critical infrastructure, finance, and government sectors, where even low-level threats can escalate if combined with other attack vectors.
Mitigation Recommendations
1. Integrate ThreatFox IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection capabilities. 2. Conduct regular threat hunting exercises using the latest OSINT feeds to identify any signs of compromise related to these IOCs. 3. Maintain updated and comprehensive asset inventories to quickly assess exposure to any emerging threats linked to these indicators. 4. Implement network segmentation and strict access controls to limit lateral movement should an infection occur. 5. Educate security teams on interpreting and leveraging OSINT data effectively, ensuring that medium-severity alerts are contextualized appropriately. 6. Establish collaboration channels with national and European cybersecurity centers to share intelligence and receive timely updates on evolving threats. 7. Regularly review and update incident response plans to incorporate scenarios involving OSINT-derived malware threats, even if currently low impact. These steps go beyond generic advice by focusing on operationalizing OSINT data and enhancing proactive detection and response capabilities tailored to the nature of this threat.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- hash: ea03949e3413e44d6d05811945786d51f2709785c51bdd208cf98729735bf61e
- hash: 5ccc72c812f0481525f9843572a39ff0
- domain: eb-la-gh-ie-se-na.org
- url: http://eb-la-gh-ie-se-na.org/i/%d8%b9%d8%af%d8%a7%d9%84%d8%aa%20%d9%87%d9%85%d8%b1%d8%a7%d9%87.apk
- url: https://eb-la-gh-ie-se-na.org/i/%d8%b9%d8%af%d8%a7%d9%84%d8%aa%20%d9%87%d9%85%d8%b1%d8%a7%d9%87.apk
- domain: ed-se-na-ir.org
- url: https://ed-se-na-ir.org/criminal/contact.php?result=ok&action=upload&androidid=
- url: https://ed-se-na-ir.org/criminal/contact.php
- url: https://ed-se-na-ir.org/criminal
- url: https://ed-se-na-ir.org
- url: https://eb-la-gh-ie-se-na.org/i/ap.php
- url: https://ed-se-na-ir.org/criminal/sms.php
- url: https://raw.githubusercontent.com/vangguardadomorrisseyney32/dust-0001/main/d.txt
- url: https://owkdzodqzodqjefjnnejenefe.site/vvmd54/
- url: https://ewkekezmwzfevwvwvvmmmmmmwfwf.site/zgbn19mx
- url: https://ewkekezmwzfevwvwvvmmmmmmwfwf.site/lander/chrome/_index.php
- url: https://stats-best.site/fp.php
- url: https://znqjdnqzdqzfqmfqmkfq.site/vvmd54/
- file: 116.203.194.248
- hash: 2404
- url: https://gkrokbmrkmrxtmxrxr.space/vvmd54/
- url: http://dashminimaltokens.xyz/
- file: 116.203.75.210
- hash: 6012
- file: 79.137.206.192
- hash: 80
- file: 65.109.229.201
- hash: 80
- file: 116.203.75.210
- hash: 6012
- url: http://mixz.shop/mi341/index.php
- url: http://pelsotin.buzz/moore/_errorpages/five/fre.php
- file: 46.183.222.77
- hash: 5200
- url: http://phonevronlene.xyz/c2conf
- file: 103.202.55.172
- hash: 65012
- url: http://fiorentcamcycle.redirectme.net/jzdgfsh/panel/five/fre.php
- file: 51.254.49.49
- hash: 9191
- file: 163.123.143.99
- hash: 34771
- file: 193.42.32.237
- hash: 2404
- url: http://simesmile.xyz/c2conf
- domain: googlestates.com
- file: 103.212.81.152
- hash: 6141
- url: http://004727cm.n9shteam1.top/nyashsupport.php
- domain: dashonlineclub.com
- domain: fiorentcamcycle.redirectme.net
- hash: 0b4aab3d1e2946b15b70a63187c1f927
- url: https://gutesherz.org/go.php
- hash: a2ccca25a57f7c333793be885fbaabd5
- hash: 9b5a386b42ed4a71bbc7e5f02d8c839c
- hash: 8218fb24a9f9fca3e77a9ab23a21a17c
- url: https://nkstoreads.com/auno.zip
- hash: 5ba5aefd107ac20a3a8eb15041391f89
- hash: b502f85e1559a988a4b4ac02ae22aa1c
- hash: 7266828b63a4b7546f471a1ea94ddbf3
- hash: 40e0ae476e4a5e60c0dd9a2a0eccfed5
- hash: f91f56ea971437c2595b2eabd0193aa6
- hash: 7147a5a950aa7cc28363df93660e5f81
- hash: 68072c82a4ca9b73711ed8ba805d9438
- hash: a586c8d091d6fd6ac89f046fadda9d06
- hash: 0028ae97577bdb8debd2142e24f04122
- file: 104.194.222.70
- hash: 80
- file: 104.194.222.70
- hash: 443
- file: 104.194.222.70
- hash: 8000
- file: 104.194.222.70
- hash: 8080
- file: 104.194.222.70
- hash: 8443
- file: 103.20.235.154
- hash: 5113
- file: 2.56.10.6
- hash: 80
- file: 104.207.155.133
- hash: 80
- file: 143.110.239.243
- hash: 443
- file: 5.161.227.219
- hash: 443
- file: 5.161.227.219
- hash: 5985
- file: 60.204.211.173
- hash: 8888
- file: 65.109.229.201
- hash: 80
- file: 37.27.17.95
- hash: 80
- url: http://65.109.229.201/sp1.zip
- url: http://65.109.229.201/
- url: http://128.140.47.150:10099/base.zip
- url: http://116.203.75.210:6012/
- url: http://116.203.75.210:6012/sp1.zip
- url: http://45.8.159.53/eternalsecurepacketsqltest.php
- file: 159.203.22.84
- hash: 443
- url: http://acecnouwglass.xyz/
- file: 185.149.146.41
- hash: 17355
- file: 85.209.3.13
- hash: 11290
- url: https://124.220.189.137/news/details
- file: 124.220.189.137
- hash: 443
- url: https://8.134.151.230/ga.js
- file: 8.134.151.230
- hash: 443
- url: http://111.67.195.154:8888/jquery-3.3.1.min.js
- hash: d245f208d2a682f4d2c4464557973bf26dee756b251f162adb00b4074b4db3ac
- hash: 95daed761fda53bc7acdce7b880c1cb661bf75988084914e0958d33314768fa1
- hash: 24142fc156fb6816a3d7a0f7c6e3a3cf
- url: https://ceryew2ir.com/ed.apk
- domain: ceryew2ir.com
- file: 31.41.244.27
- hash: 41140
- file: 136.243.144.126
- hash: 34132
- file: 4.216.136.100
- hash: 12834
- file: 45.92.1.32
- hash: 20580
- domain: pelsotin.buzz
- url: https://xreyz.com/000
- url: https://xreyz.com/000/rat.php
- url: https://xreyz.com/
- url: https://xreyz.com/000/url.txt
- domain: xreyz.com
- file: 103.147.225.170
- hash: 8088
- file: 104.234.10.8
- hash: 8088
- file: 167.88.166.221
- hash: 8088
- file: 172.86.96.152
- hash: 8088
- file: 172.86.97.173
- hash: 8088
- file: 172.86.97.85
- hash: 8088
- file: 202.79.169.188
- hash: 8088
- file: 202.95.15.135
- hash: 8088
- file: 217.148.142.58
- hash: 8088
- file: 27.124.19.133
- hash: 8088
- file: 27.124.20.29
- hash: 8088
- file: 27.124.41.223
- hash: 8088
- file: 27.124.44.230
- hash: 8088
- file: 27.124.47.53
- hash: 8088
- file: 45.61.128.113
- hash: 8088
- file: 62.72.27.139
- hash: 8088
- file: 62.72.27.90
- hash: 8088
- url: http://89.208.137.159:5200/add/
- file: 89.208.137.159
- hash: 43407
- file: 3.22.30.40
- hash: 19529
- url: http://124.220.189.137:8888/news/details
- file: 3.17.7.232
- hash: 19529
- file: 3.134.39.220
- hash: 19529
- file: 3.14.182.203
- hash: 19529
- file: 3.134.125.175
- hash: 19529
- file: 3.13.191.225
- hash: 19529
- domain: gctatick.com
- domain: google-analytiks.com
- domain: googlestates.com
- domain: gstatick.com
- file: 198.244.251.250
- hash: 222
- file: 51.161.105.119
- hash: 6606
- file: 5.196.35.57
- hash: 6606
- file: 146.59.161.10
- hash: 6606
- file: 51.195.145.78
- hash: 6606
- file: 158.69.131.146
- hash: 6606
- file: 51.222.69.3
- hash: 222
- file: 51.195.251.7
- hash: 6606
- file: 51.89.207.166
- hash: 6606
- file: 51.89.204.67
- hash: 6606
- file: 51.195.251.9
- hash: 222
- file: 51.254.49.49
- hash: 222
- file: 15.204.170.1
- hash: 6606
- file: 51.81.7.207
- hash: 222
- file: 45.138.16.217
- hash: 222
- file: 45.138.16.89
- hash: 222
- file: 147.124.209.80
- hash: 222
- file: 74.208.105.80
- hash: 222
- file: 23.254.227.121
- hash: 222
- file: 81.218.45.223
- hash: 8848
- file: 119.91.99.194
- hash: 8080
- file: 190.22.177.241
- hash: 80
- url: https://121.40.72.141/cx
- file: 18.158.58.205
- hash: 15312
- url: http://38.54.119.239:443/jquery-3.3.1.min.js
- file: 159.89.48.118
- hash: 7443
- file: 184.97.46.154
- hash: 8080
- file: 103.20.235.154
- hash: 4353
- file: 192.236.192.207
- hash: 443
- file: 85.13.119.236
- hash: 443
- file: 206.166.251.95
- hash: 443
- file: 206.71.148.109
- hash: 5985
- file: 46.101.82.153
- hash: 80
- file: 179.43.142.36
- hash: 591
- file: 193.106.175.168
- hash: 81
- file: 121.4.115.237
- hash: 1888
- file: 192.210.136.252
- hash: 8888
- file: 175.24.205.80
- hash: 8888
- file: 47.104.221.243
- hash: 9080
- url: http://47.104.221.243:9080/activity
- url: http://83.220.169.211/public8/voiddbwordpress2python/6togamevm/6/datalifegame/vmauthjavascript/9universalproviderhttp/image/generatorpoll/voiddb/sqlpollgeopacket/cdntemporary_/auth7voiddb_/8/9pipe/wordpress/update/apiproton/cpudefault/_secure.php
- file: 193.149.129.81
- hash: 80
- url: http://111.229.19.199/static/js/jquery-3.3.1.min.js
- url: https://151.236.9.117:10443/load
- url: http://206.238.42.198/g.pixel
- url: http://123.56.128.182/fwlink
- url: https://124.71.84.65:8443/activity
- url: https://1.117.93.65/cm
- url: http://39.107.242.125/ca
- url: http://124.71.212.123:9999/ptj
- url: https://cs45up230808.iqiyia.com:2053/ie9compatviewlist.xml
- url: https://service-opiag0j1-1308639534.sh.apigw.tencentcs.com/api/getit
- domain: service-opiag0j1-1308639534.sh.apigw.tencentcs.com
- url: http://175.178.79.10/j.ad
- url: https://124.71.84.65/dot.gif
- url: http://139.155.42.254:111/g.pixel
- url: https://cs45up230823s.iqiyia.com:2083/match
- url: http://139.9.41.156:81/dpixel
- url: https://47.118.48.188/activity
- file: 47.118.48.188
- hash: 443
- url: https://43.153.222.28/cm
- url: http://5.75.209.196:9000/
- url: http://5.75.209.196:9000/htdocs.zip
- url: https://t.me/macstoc
- url: https://steamcommunity.com/profiles/76561199548518734
- url: http://195.201.248.117/
- url: http://195.201.248.117/htdocs.zip
- file: 5.75.209.196
- hash: 9000
- file: 195.201.248.117
- hash: 80
- url: https://175.178.79.10/match
- url: http://cx11830.tw1.ru/_defaultwindows.php
- file: 91.109.180.3
- hash: 5050
ThreatFox IOCs for 2023-09-04
Description
ThreatFox IOCs for 2023-09-04
AI-Powered Analysis
Technical Analysis
The provided threat intelligence concerns a malware-related report titled "ThreatFox IOCs for 2023-09-04," sourced from ThreatFox, a platform specializing in sharing Indicators of Compromise (IOCs) and threat intelligence data. The report is categorized under "type:osint," indicating it primarily involves open-source intelligence data rather than a specific malware family or exploit. No specific affected software versions, vulnerabilities, or detailed technical indicators are provided, and there are no known exploits in the wild associated with this threat at the time of publication. The threat level is rated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting limited analytical depth but a moderate distribution or presence in the wild. The absence of CWEs, patch links, or detailed technical descriptions implies that this report serves more as an informational update or a collection of IOCs rather than a direct alert about an active or emerging exploit. The medium severity rating reflects a cautious stance, acknowledging potential risks without concrete evidence of widespread impact or exploitation. Overall, this threat intelligence appears to be a situational awareness update rather than a critical or immediate threat, emphasizing the importance of monitoring and preparedness rather than urgent remediation.
Potential Impact
Given the lack of specific technical details, affected products, or known exploits, the direct impact on European organizations is currently limited. However, the distribution score of 3 indicates that the malware or associated IOCs may be moderately present or circulating, which could pose risks if leveraged in targeted attacks. European organizations relying on open-source intelligence tools or platforms similar to ThreatFox might encounter these IOCs during threat hunting or incident response activities. The medium severity suggests potential confidentiality, integrity, or availability concerns if the malware were to be deployed effectively, but no immediate widespread compromise is evident. The absence of authentication or user interaction details limits the ability to assess exploitation ease, but the general nature of OSINT-related malware implies that attacks could be opportunistic or part of broader reconnaissance efforts. Consequently, European entities should remain vigilant, particularly those in critical infrastructure, finance, and government sectors, where even low-level threats can escalate if combined with other attack vectors.
Mitigation Recommendations
1. Integrate ThreatFox IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection capabilities. 2. Conduct regular threat hunting exercises using the latest OSINT feeds to identify any signs of compromise related to these IOCs. 3. Maintain updated and comprehensive asset inventories to quickly assess exposure to any emerging threats linked to these indicators. 4. Implement network segmentation and strict access controls to limit lateral movement should an infection occur. 5. Educate security teams on interpreting and leveraging OSINT data effectively, ensuring that medium-severity alerts are contextualized appropriately. 6. Establish collaboration channels with national and European cybersecurity centers to share intelligence and receive timely updates on evolving threats. 7. Regularly review and update incident response plans to incorporate scenarios involving OSINT-derived malware threats, even if currently low impact. These steps go beyond generic advice by focusing on operationalizing OSINT data and enhancing proactive detection and response capabilities tailored to the nature of this threat.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 0cc699a4-712c-4af0-9e9c-58e73187d1af
- Original Timestamp
- 1693872186
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hashea03949e3413e44d6d05811945786d51f2709785c51bdd208cf98729735bf61e | IRATA payload (confidence level: 100%) | |
hash5ccc72c812f0481525f9843572a39ff0 | IRATA payload (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash6012 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Vidar payload delivery server (confidence level: 100%) | |
hash80 | Vidar payload delivery server (confidence level: 75%) | |
hash6012 | Vidar payload delivery server (confidence level: 75%) | |
hash5200 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash65012 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash9191 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash34771 | Remcos botnet C2 server (confidence level: 75%) | |
hash2404 | Remcos botnet C2 server (confidence level: 75%) | |
hash6141 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash0b4aab3d1e2946b15b70a63187c1f927 | Unknown malware payload (confidence level: 100%) | |
hasha2ccca25a57f7c333793be885fbaabd5 | Unknown malware payload (confidence level: 100%) | |
hash9b5a386b42ed4a71bbc7e5f02d8c839c | Unknown malware payload (confidence level: 100%) | |
hash8218fb24a9f9fca3e77a9ab23a21a17c | Unknown malware payload (confidence level: 100%) | |
hash5ba5aefd107ac20a3a8eb15041391f89 | Unknown malware payload (confidence level: 100%) | |
hashb502f85e1559a988a4b4ac02ae22aa1c | Unknown malware payload (confidence level: 100%) | |
hash7266828b63a4b7546f471a1ea94ddbf3 | Unknown malware payload (confidence level: 100%) | |
hash40e0ae476e4a5e60c0dd9a2a0eccfed5 | Unknown malware payload (confidence level: 100%) | |
hashf91f56ea971437c2595b2eabd0193aa6 | Unknown malware payload (confidence level: 100%) | |
hash7147a5a950aa7cc28363df93660e5f81 | Unknown malware payload (confidence level: 100%) | |
hash68072c82a4ca9b73711ed8ba805d9438 | Unknown malware payload (confidence level: 100%) | |
hasha586c8d091d6fd6ac89f046fadda9d06 | Unknown malware payload (confidence level: 100%) | |
hash0028ae97577bdb8debd2142e24f04122 | Unknown malware payload (confidence level: 100%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash8000 | BianLian botnet C2 server (confidence level: 50%) | |
hash8080 | BianLian botnet C2 server (confidence level: 50%) | |
hash8443 | BianLian botnet C2 server (confidence level: 50%) | |
hash5113 | BianLian botnet C2 server (confidence level: 50%) | |
hash80 | Havoc botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | IcedID botnet C2 server (confidence level: 50%) | |
hash17355 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash11290 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hashd245f208d2a682f4d2c4464557973bf26dee756b251f162adb00b4074b4db3ac | Konni payload (confidence level: 100%) | |
hash95daed761fda53bc7acdce7b880c1cb661bf75988084914e0958d33314768fa1 | IRATA payload (confidence level: 100%) | |
hash24142fc156fb6816a3d7a0f7c6e3a3cf | IRATA payload (confidence level: 100%) | |
hash41140 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash34132 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash12834 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash20580 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash43407 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash19529 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash19529 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash19529 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash19529 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash19529 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash19529 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8848 | DCRat botnet C2 server (confidence level: 75%) | |
hash8080 | DCRat botnet C2 server (confidence level: 75%) | |
hash80 | N-W0rm botnet C2 server (confidence level: 100%) | |
hash15312 | NjRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8080 | Deimos botnet C2 server (confidence level: 50%) | |
hash4353 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash591 | DCRat botnet C2 server (confidence level: 50%) | |
hash81 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash1888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash9080 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash80 | IcedID botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9000 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash5050 | NjRAT botnet C2 server (confidence level: 100%) |
Domain
Value | Description | Copy |
---|---|---|
domaineb-la-gh-ie-se-na.org | IRATA payload delivery domain (confidence level: 100%) | |
domained-se-na-ir.org | IRATA botnet C2 domain (confidence level: 100%) | |
domaingooglestates.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domaindashonlineclub.com | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainfiorentcamcycle.redirectme.net | Loki Password Stealer (PWS) botnet C2 domain (confidence level: 50%) | |
domainceryew2ir.com | IRATA payload delivery domain (confidence level: 100%) | |
domainpelsotin.buzz | Loki Password Stealer (PWS) botnet C2 domain (confidence level: 50%) | |
domainxreyz.com | IRATA botnet C2 domain (confidence level: 100%) | |
domaingctatick.com | Unknown malware botnet C2 domain (confidence level: 50%) | |
domaingoogle-analytiks.com | Unknown malware botnet C2 domain (confidence level: 50%) | |
domaingooglestates.com | Unknown malware botnet C2 domain (confidence level: 50%) | |
domaingstatick.com | Unknown malware botnet C2 domain (confidence level: 50%) | |
domainservice-opiag0j1-1308639534.sh.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Url
Value | Description | Copy |
---|---|---|
urlhttp://eb-la-gh-ie-se-na.org/i/%d8%b9%d8%af%d8%a7%d9%84%d8%aa%20%d9%87%d9%85%d8%b1%d8%a7%d9%87.apk | IRATA payload delivery URL (confidence level: 100%) | |
urlhttps://eb-la-gh-ie-se-na.org/i/%d8%b9%d8%af%d8%a7%d9%84%d8%aa%20%d9%87%d9%85%d8%b1%d8%a7%d9%87.apk | IRATA payload delivery URL (confidence level: 100%) | |
urlhttps://ed-se-na-ir.org/criminal/contact.php?result=ok&action=upload&androidid= | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://ed-se-na-ir.org/criminal/contact.php | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://ed-se-na-ir.org/criminal | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://ed-se-na-ir.org | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://eb-la-gh-ie-se-na.org/i/ap.php | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://ed-se-na-ir.org/criminal/sms.php | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://raw.githubusercontent.com/vangguardadomorrisseyney32/dust-0001/main/d.txt | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://owkdzodqzodqjefjnnejenefe.site/vvmd54/ | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://ewkekezmwzfevwvwvvmmmmmmwfwf.site/zgbn19mx | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://ewkekezmwzfevwvwvvmmmmmmwfwf.site/lander/chrome/_index.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://stats-best.site/fp.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://znqjdnqzdqzfqmfqmkfq.site/vvmd54/ | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://gkrokbmrkmrxtmxrxr.space/vvmd54/ | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://dashminimaltokens.xyz/ | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://mixz.shop/mi341/index.php | Azorult botnet C2 (confidence level: 100%) | |
urlhttp://pelsotin.buzz/moore/_errorpages/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://phonevronlene.xyz/c2conf | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://fiorentcamcycle.redirectme.net/jzdgfsh/panel/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://simesmile.xyz/c2conf | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://004727cm.n9shteam1.top/nyashsupport.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://gutesherz.org/go.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://nkstoreads.com/auno.zip | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttp://65.109.229.201/sp1.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://65.109.229.201/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://128.140.47.150:10099/base.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.203.75.210:6012/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.203.75.210:6012/sp1.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://45.8.159.53/eternalsecurepacketsqltest.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://acecnouwglass.xyz/ | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://124.220.189.137/news/details | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://8.134.151.230/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://111.67.195.154:8888/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://ceryew2ir.com/ed.apk | IRATA payload delivery URL (confidence level: 100%) | |
urlhttps://xreyz.com/000 | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://xreyz.com/000/rat.php | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://xreyz.com/ | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://xreyz.com/000/url.txt | IRATA botnet C2 (confidence level: 100%) | |
urlhttp://89.208.137.159:5200/add/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://124.220.189.137:8888/news/details | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://121.40.72.141/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://38.54.119.239:443/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://47.104.221.243:9080/activity | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://83.220.169.211/public8/voiddbwordpress2python/6togamevm/6/datalifegame/vmauthjavascript/9universalproviderhttp/image/generatorpoll/voiddb/sqlpollgeopacket/cdntemporary_/auth7voiddb_/8/9pipe/wordpress/update/apiproton/cpudefault/_secure.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://111.229.19.199/static/js/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://151.236.9.117:10443/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://206.238.42.198/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://123.56.128.182/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.71.84.65:8443/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://1.117.93.65/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://39.107.242.125/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.71.212.123:9999/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://cs45up230808.iqiyia.com:2053/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-opiag0j1-1308639534.sh.apigw.tencentcs.com/api/getit | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://175.178.79.10/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.71.84.65/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.155.42.254:111/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://cs45up230823s.iqiyia.com:2083/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.9.41.156:81/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.118.48.188/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.153.222.28/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://5.75.209.196:9000/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://5.75.209.196:9000/htdocs.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://t.me/macstoc | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://steamcommunity.com/profiles/76561199548518734 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://195.201.248.117/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://195.201.248.117/htdocs.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://175.178.79.10/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://cx11830.tw1.ru/_defaultwindows.php | DCRat botnet C2 (confidence level: 100%) |
File
Value | Description | Copy |
---|---|---|
file116.203.194.248 | Remcos botnet C2 server (confidence level: 100%) | |
file116.203.75.210 | Vidar botnet C2 server (confidence level: 100%) | |
file79.137.206.192 | Vidar payload delivery server (confidence level: 100%) | |
file65.109.229.201 | Vidar payload delivery server (confidence level: 75%) | |
file116.203.75.210 | Vidar payload delivery server (confidence level: 75%) | |
file46.183.222.77 | Ave Maria botnet C2 server (confidence level: 100%) | |
file103.202.55.172 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file51.254.49.49 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file163.123.143.99 | Remcos botnet C2 server (confidence level: 75%) | |
file193.42.32.237 | Remcos botnet C2 server (confidence level: 75%) | |
file103.212.81.152 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file104.194.222.70 | BianLian botnet C2 server (confidence level: 50%) | |
file104.194.222.70 | BianLian botnet C2 server (confidence level: 50%) | |
file104.194.222.70 | BianLian botnet C2 server (confidence level: 50%) | |
file104.194.222.70 | BianLian botnet C2 server (confidence level: 50%) | |
file104.194.222.70 | BianLian botnet C2 server (confidence level: 50%) | |
file103.20.235.154 | BianLian botnet C2 server (confidence level: 50%) | |
file2.56.10.6 | Havoc botnet C2 server (confidence level: 50%) | |
file104.207.155.133 | Responder botnet C2 server (confidence level: 50%) | |
file143.110.239.243 | Responder botnet C2 server (confidence level: 50%) | |
file5.161.227.219 | Responder botnet C2 server (confidence level: 50%) | |
file5.161.227.219 | Responder botnet C2 server (confidence level: 50%) | |
file60.204.211.173 | Unknown malware botnet C2 server (confidence level: 50%) | |
file65.109.229.201 | Vidar botnet C2 server (confidence level: 100%) | |
file37.27.17.95 | Vidar botnet C2 server (confidence level: 100%) | |
file159.203.22.84 | IcedID botnet C2 server (confidence level: 50%) | |
file185.149.146.41 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file85.209.3.13 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file124.220.189.137 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.134.151.230 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file31.41.244.27 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file136.243.144.126 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file4.216.136.100 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file45.92.1.32 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file103.147.225.170 | Unknown malware botnet C2 server (confidence level: 100%) | |
file104.234.10.8 | Unknown malware botnet C2 server (confidence level: 100%) | |
file167.88.166.221 | Unknown malware botnet C2 server (confidence level: 100%) | |
file172.86.96.152 | Unknown malware botnet C2 server (confidence level: 100%) | |
file172.86.97.173 | Unknown malware botnet C2 server (confidence level: 100%) | |
file172.86.97.85 | Unknown malware botnet C2 server (confidence level: 100%) | |
file202.79.169.188 | Unknown malware botnet C2 server (confidence level: 100%) | |
file202.95.15.135 | Unknown malware botnet C2 server (confidence level: 100%) | |
file217.148.142.58 | Unknown malware botnet C2 server (confidence level: 100%) | |
file27.124.19.133 | Unknown malware botnet C2 server (confidence level: 100%) | |
file27.124.20.29 | Unknown malware botnet C2 server (confidence level: 100%) | |
file27.124.41.223 | Unknown malware botnet C2 server (confidence level: 100%) | |
file27.124.44.230 | Unknown malware botnet C2 server (confidence level: 100%) | |
file27.124.47.53 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.61.128.113 | Unknown malware botnet C2 server (confidence level: 100%) | |
file62.72.27.139 | Unknown malware botnet C2 server (confidence level: 100%) | |
file62.72.27.90 | Unknown malware botnet C2 server (confidence level: 100%) | |
file89.208.137.159 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file3.22.30.40 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file3.17.7.232 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file3.134.39.220 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file3.14.182.203 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file3.134.125.175 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file3.13.191.225 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file198.244.251.250 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file51.161.105.119 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file5.196.35.57 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file146.59.161.10 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file51.195.145.78 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file158.69.131.146 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file51.222.69.3 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file51.195.251.7 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file51.89.207.166 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file51.89.204.67 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file51.195.251.9 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file51.254.49.49 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file15.204.170.1 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file51.81.7.207 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file45.138.16.217 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.138.16.89 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file147.124.209.80 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file74.208.105.80 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file23.254.227.121 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file81.218.45.223 | DCRat botnet C2 server (confidence level: 75%) | |
file119.91.99.194 | DCRat botnet C2 server (confidence level: 75%) | |
file190.22.177.241 | N-W0rm botnet C2 server (confidence level: 100%) | |
file18.158.58.205 | NjRAT botnet C2 server (confidence level: 100%) | |
file159.89.48.118 | Unknown malware botnet C2 server (confidence level: 50%) | |
file184.97.46.154 | Deimos botnet C2 server (confidence level: 50%) | |
file103.20.235.154 | BianLian botnet C2 server (confidence level: 50%) | |
file192.236.192.207 | BianLian botnet C2 server (confidence level: 50%) | |
file85.13.119.236 | BianLian botnet C2 server (confidence level: 50%) | |
file206.166.251.95 | Havoc botnet C2 server (confidence level: 50%) | |
file206.71.148.109 | Responder botnet C2 server (confidence level: 50%) | |
file46.101.82.153 | Responder botnet C2 server (confidence level: 50%) | |
file179.43.142.36 | DCRat botnet C2 server (confidence level: 50%) | |
file193.106.175.168 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file121.4.115.237 | Unknown malware botnet C2 server (confidence level: 50%) | |
file192.210.136.252 | Unknown malware botnet C2 server (confidence level: 50%) | |
file175.24.205.80 | Unknown malware botnet C2 server (confidence level: 50%) | |
file47.104.221.243 | Meterpreter botnet C2 server (confidence level: 100%) | |
file193.149.129.81 | IcedID botnet C2 server (confidence level: 75%) | |
file47.118.48.188 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file5.75.209.196 | Vidar botnet C2 server (confidence level: 100%) | |
file195.201.248.117 | Vidar botnet C2 server (confidence level: 100%) | |
file91.109.180.3 | NjRAT botnet C2 server (confidence level: 100%) |
Threat ID: 682b7b9fd3ddd8cef2e66604
Added to database: 5/19/2025, 6:42:39 PM
Last enriched: 6/18/2025, 7:01:53 PM
Last updated: 8/13/2025, 5:14:33 PM
Views: 11
Related Threats
ThreatFox IOCs for 2025-08-13
MediumEfimer Trojan Steals Crypto, Hacks WordPress Sites via Torrents and Phishing
MediumSilent Watcher: Dissecting Cmimai Stealer's VBS Payload
MediumCastleLoader Analysis
MediumThe Dark Side of Parental Control Apps
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.