ThreatFox IOCs for 2023-09-07
ThreatFox IOCs for 2023-09-07
AI Analysis
Technical Summary
The provided threat information pertains to a set of Indicators of Compromise (IOCs) published on September 7, 2023, by ThreatFox, a platform specializing in sharing threat intelligence and malware-related data. The threat is categorized as malware-related and is associated with OSINT (Open Source Intelligence) products or data. However, the details are limited, with no specific affected software versions, no identified Common Weakness Enumerations (CWEs), and no known exploits in the wild. The technical details indicate a moderate threat level (threatLevel: 2 on an unspecified scale), moderate analysis confidence (analysis: 1), and a higher distribution factor (distribution: 3), suggesting the IOCs may be widely disseminated or relevant to multiple targets. The absence of concrete technical indicators, patch links, or exploit details limits the ability to pinpoint exact attack vectors or malware behavior. Given the nature of ThreatFox as a repository for threat intelligence, this entry likely represents a collection of IOCs related to malware campaigns or infrastructure observed around the publication date rather than a single exploit or vulnerability. The medium severity rating assigned by the source aligns with the moderate threat level and distribution, indicating a potential risk that requires attention but does not currently represent an immediate critical threat. The lack of authentication or user interaction requirements is not explicitly stated, but given the OSINT context, these IOCs might be used for detection and prevention rather than representing a direct exploit requiring user action.
Potential Impact
For European organizations, the impact of this threat primarily revolves around the potential for malware infections or compromise through the indicators shared. Since the threat details are generic and no specific malware family or attack vector is identified, the risk lies in the possibility that these IOCs correspond to active or emerging malware campaigns targeting various sectors. The distribution factor suggests that multiple organizations or systems could be targeted or affected. Potential impacts include unauthorized access, data exfiltration, disruption of services, or lateral movement within networks if the malware is successfully deployed. The medium severity implies that while the threat is notable, it may not lead to widespread or catastrophic damage without additional factors such as targeted exploitation or vulnerabilities. European organizations with extensive exposure to open-source intelligence feeds or those relying on automated threat detection systems incorporating ThreatFox data may benefit from early warnings but must remain vigilant. The lack of known exploits in the wild reduces immediate risk but does not preclude future exploitation or the emergence of related malware variants.
Mitigation Recommendations
Given the nature of the threat as a set of IOCs rather than a specific vulnerability or exploit, mitigation should focus on enhancing detection and response capabilities. European organizations should integrate the latest ThreatFox IOCs into their Security Information and Event Management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools to identify potential malware activity promptly. Regularly updating threat intelligence feeds and correlating these IOCs with internal logs can improve early detection. Network segmentation and strict access controls can limit malware propagation if an infection occurs. Conducting threat hunting exercises using these IOCs can proactively identify compromised assets. Additionally, organizations should ensure robust patch management for all systems to reduce the attack surface, even though no specific patches are linked to this threat. Employee awareness training remains critical to reduce the risk of malware delivery via phishing or social engineering, which often accompany malware campaigns. Finally, sharing intelligence with relevant European cybersecurity information sharing organizations can enhance collective defense.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- domain: sept6amd.tuktuk.ug
- file: 89.117.74.176
- hash: 2626
- file: 89.117.74.176
- hash: 8081
- file: 89.117.74.176
- hash: 9090
- file: 18.158.249.75
- hash: 19120
- url: https://vvooowkdqddcqcqcdqggggl.site/vvmd54/
- url: http://46.18.107.229/wordpressvmimagepacket/1/temporarysql76/phplow2eternal/temphttpvoiddb0/togeo/imagebase/to/64packettest/securelongpoll/better/7/windows58/line/6voiddbcentral/jsupdatewordpress.php
- url: http://fresh1.oracover.buzz/_errorpages/fresh1/five/fre.php
- domain: admlogs77x.online
- domain: blogxstat25.xyz
- domain: blogxstat38.xyz
- domain: demblog289.xyz
- domain: serverxlogs21.xyz
- domain: servxblog79.xyz
- url: http://5.161.188.133/69b3ae67feef2db7.php
- file: 35.158.159.254
- hash: 15300
- file: 3.127.253.86
- hash: 15300
- file: 52.28.112.211
- hash: 15300
- file: 18.198.77.177
- hash: 15300
- domain: vvooowkdqddcqcqcdqggggl.site
- domain: stats-best.site
- file: 43.140.252.169
- hash: 8000
- file: 51.222.196.70
- hash: 443
- file: 44.211.190.165
- hash: 80
- file: 73.196.213.146
- hash: 80
- file: 117.50.178.24
- hash: 8088
- file: 18.184.92.206
- hash: 443
- file: 114.115.129.32
- hash: 18443
- url: http://menufreith.sytes.net:8383/ijbjvdgfsh/panel/five/fre.php
- file: 113.31.116.173
- hash: 8888
- url: http://popopuns.club
- url: http://uniquebbs.asia
- url: http://avvmain.online
- url: http://62.109.0.255/uploadslinuximage5/processor6/cdn/dbgenerator/mariadbgeo/flowerlinux5/mariadbpipesecure/5secure/polldle1provider/protectdownloads/7update2test/localdefault/line/track/eternal8/trackjavascriptapi/pollasynccdncentral.php
- domain: menufreith.sytes.net
- file: 80.85.241.108
- hash: 80
- url: http://80.85.241.108/
- url: http://80.85.241.108/liux.zip
- url: https://124.223.222.199/ie9compatviewlist.xml
- file: 124.223.222.199
- hash: 443
- url: https://qianxin.edr-down.uk/owa/
- domain: qianxin.edr-down.uk
- file: 150.158.173.125
- hash: 443
- url: https://sybercodesilver.lol/ptj
- file: 85.111.90.157
- hash: 443
- url: https://13.229.134.180/_/scs/mail-static/_/js/
- file: 13.229.134.180
- hash: 443
- url: https://poqwjoemqzmemzgqegzqzf.online/vvmd54/
- file: 209.25.141.229
- hash: 54720
- file: 3.67.112.102
- hash: 10309
- file: 3.67.62.142
- hash: 10309
- file: 3.64.4.198
- hash: 10309
- file: 5.75.211.215
- hash: 40309
- file: 79.110.48.87
- hash: 2402
- file: 3.22.30.40
- hash: 25565
- file: 3.134.125.175
- hash: 25565
- file: 3.13.191.225
- hash: 25565
- file: 3.14.182.203
- hash: 25565
- file: 194.180.48.160
- hash: 4898
- domain: fresh1.oracover.buzz
- file: 45.12.253.107
- hash: 6606
- file: 45.12.253.107
- hash: 7707
- file: 3.125.209.94
- hash: 15305
- file: 3.125.223.134
- hash: 15305
- file: 3.124.142.205
- hash: 15305
- file: 3.125.102.39
- hash: 15305
- file: 18.192.31.165
- hash: 15305
- url: http://qianxin.edr-down.uk/owa/
- file: 150.158.173.125
- hash: 80
- file: 185.225.75.68
- hash: 2222
- url: http://141.98.6.249/vdgfsh/panel/five/fre.php
- url: http://141.98.6.249:8383/vdgfsh/panel/five/fre.php
- file: 172.233.240.65
- hash: 31337
- file: 172.233.240.65
- hash: 8888
- file: 118.193.37.157
- hash: 31337
- file: 91.223.208.155
- hash: 8443
- file: 170.178.201.212
- hash: 7443
- file: 204.152.203.90
- hash: 5903
- file: 212.118.42.117
- hash: 443
- file: 34.207.174.202
- hash: 443
- file: 167.172.86.3
- hash: 8080
- file: 206.188.197.20
- hash: 443
- file: 73.196.213.146
- hash: 443
- file: 24.199.106.201
- hash: 443
- file: 209.51.171.194
- hash: 445
- file: 18.184.92.206
- hash: 80
- file: 18.184.92.206
- hash: 445
- file: 63.34.170.255
- hash: 5986
- file: 185.82.200.121
- hash: 8888
- file: 45.145.229.102
- hash: 8888
- file: 42.228.212.209
- hash: 8888
- file: 179.13.2.154
- hash: 8000
- url: https://fwe43.danamoninternal.com/jquery-3.6.1.min.js
- domain: fwe43.danamoninternal.com
- url: https://fxe12.danamoninternal.com/jquery-3.6.1.min.js
- domain: fxe12.danamoninternal.com
- domain: piac.elsewhens.org
- domain: dns.elsewhens.org
- file: 185.132.125.151
- hash: 53
- url: http://116.62.138.140:8081/ie9compatviewlist.xml
- url: http://service-oshdwnr7-1306743016.bj.apigw.tencentcs.com/api/ymget0905
- domain: service-oshdwnr7-1306743016.bj.apigw.tencentcs.com
- url: http://152.136.35.240/en_us/all.js
- url: https://165.154.130.222:4444/match
- url: http://165.154.130.222:1234/ga.js
- url: https://service-oshdwnr7-1306743016.bj.apigw.tencentcs.com/api/ymget0905
- url: http://124.221.183.95:9966/__utm.gif
- url: http://119.3.177.241:8888/ca
- file: 47.110.149.136
- hash: 8888
- url: https://139.199.180.136/pixel
- url: http://82.157.101.73:88/push
- url: http://49.232.197.218:8092/g.pixel
- url: http://139.159.203.44:8001/load
- url: https://120.53.86.130:8443/level/v5.7/azf0zh83ykv
- url: http://43.153.222.28:4646/ga.js
- url: http://124.220.189.137:8888/clemente/details
- url: http://139.155.42.254:111/j.ad
- url: http://198.98.52.184:20001/en_us/all.js
- url: http://192.144.234.209/ptj
- url: https://43.153.222.28/cx
- url: https://152.136.47.4/fwlink
- url: http://118.89.71.205:9999/cm
- url: https://110.40.184.247/pixel
- url: https://api.0nedriveup.com/__utm.gif
- url: http://1.15.244.128:8088/dpixel
- url: http://175.24.163.235/match
- url: https://cs.sharksbaby.pro/destroy/v6.82/e4qyn5hvxj
- domain: cs.sharksbaby.pro
- file: 194.15.102.26
- hash: 443
- file: 141.98.6.249
- hash: 8383
- file: 193.109.120.108
- hash: 80
- file: 66.63.168.126
- hash: 80
- url: http://45.94.42.61:8091/activity
- url: https://38.207.179.124/pixel
- file: 38.207.179.124
- hash: 443
- url: http://116.204.104.60:808/push
- url: http://116.62.114.96:8080/jquery-3.3.1.min.js
- url: https://listen.appstored.store/apple-3.3.1.min.js
- domain: listen.appstored.store
- file: 194.26.192.178
- hash: 29662
- url: http://13.229.134.180/_/scs/mail-static/_/js/
- file: 13.229.134.180
- hash: 80
- url: http://br3dq.shop/pl341/index.php
ThreatFox IOCs for 2023-09-07
Description
ThreatFox IOCs for 2023-09-07
AI-Powered Analysis
Technical Analysis
The provided threat information pertains to a set of Indicators of Compromise (IOCs) published on September 7, 2023, by ThreatFox, a platform specializing in sharing threat intelligence and malware-related data. The threat is categorized as malware-related and is associated with OSINT (Open Source Intelligence) products or data. However, the details are limited, with no specific affected software versions, no identified Common Weakness Enumerations (CWEs), and no known exploits in the wild. The technical details indicate a moderate threat level (threatLevel: 2 on an unspecified scale), moderate analysis confidence (analysis: 1), and a higher distribution factor (distribution: 3), suggesting the IOCs may be widely disseminated or relevant to multiple targets. The absence of concrete technical indicators, patch links, or exploit details limits the ability to pinpoint exact attack vectors or malware behavior. Given the nature of ThreatFox as a repository for threat intelligence, this entry likely represents a collection of IOCs related to malware campaigns or infrastructure observed around the publication date rather than a single exploit or vulnerability. The medium severity rating assigned by the source aligns with the moderate threat level and distribution, indicating a potential risk that requires attention but does not currently represent an immediate critical threat. The lack of authentication or user interaction requirements is not explicitly stated, but given the OSINT context, these IOCs might be used for detection and prevention rather than representing a direct exploit requiring user action.
Potential Impact
For European organizations, the impact of this threat primarily revolves around the potential for malware infections or compromise through the indicators shared. Since the threat details are generic and no specific malware family or attack vector is identified, the risk lies in the possibility that these IOCs correspond to active or emerging malware campaigns targeting various sectors. The distribution factor suggests that multiple organizations or systems could be targeted or affected. Potential impacts include unauthorized access, data exfiltration, disruption of services, or lateral movement within networks if the malware is successfully deployed. The medium severity implies that while the threat is notable, it may not lead to widespread or catastrophic damage without additional factors such as targeted exploitation or vulnerabilities. European organizations with extensive exposure to open-source intelligence feeds or those relying on automated threat detection systems incorporating ThreatFox data may benefit from early warnings but must remain vigilant. The lack of known exploits in the wild reduces immediate risk but does not preclude future exploitation or the emergence of related malware variants.
Mitigation Recommendations
Given the nature of the threat as a set of IOCs rather than a specific vulnerability or exploit, mitigation should focus on enhancing detection and response capabilities. European organizations should integrate the latest ThreatFox IOCs into their Security Information and Event Management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools to identify potential malware activity promptly. Regularly updating threat intelligence feeds and correlating these IOCs with internal logs can improve early detection. Network segmentation and strict access controls can limit malware propagation if an infection occurs. Conducting threat hunting exercises using these IOCs can proactively identify compromised assets. Additionally, organizations should ensure robust patch management for all systems to reduce the attack surface, even though no specific patches are linked to this threat. Employee awareness training remains critical to reduce the risk of malware delivery via phishing or social engineering, which often accompany malware campaigns. Finally, sharing intelligence with relevant European cybersecurity information sharing organizations can enhance collective defense.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- f97d95a2-3d3a-4889-af8e-36b2c7438c31
- Original Timestamp
- 1694131386
Indicators of Compromise
Domain
Value | Description | Copy |
---|---|---|
domainsept6amd.tuktuk.ug | RedLine Stealer botnet C2 domain (confidence level: 100%) | |
domainadmlogs77x.online | SmokeLoader botnet C2 domain (confidence level: 100%) | |
domainblogxstat25.xyz | SmokeLoader botnet C2 domain (confidence level: 100%) | |
domainblogxstat38.xyz | SmokeLoader botnet C2 domain (confidence level: 100%) | |
domaindemblog289.xyz | SmokeLoader botnet C2 domain (confidence level: 100%) | |
domainserverxlogs21.xyz | SmokeLoader botnet C2 domain (confidence level: 100%) | |
domainservxblog79.xyz | SmokeLoader botnet C2 domain (confidence level: 100%) | |
domainvvooowkdqddcqcqcdqggggl.site | Unknown malware payload delivery domain (confidence level: 100%) | |
domainstats-best.site | Unknown malware payload delivery domain (confidence level: 100%) | |
domainmenufreith.sytes.net | Loki Password Stealer (PWS) botnet C2 domain (confidence level: 50%) | |
domainqianxin.edr-down.uk | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainfresh1.oracover.buzz | Loki Password Stealer (PWS) botnet C2 domain (confidence level: 50%) | |
domainfwe43.danamoninternal.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainfxe12.danamoninternal.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainpiac.elsewhens.org | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaindns.elsewhens.org | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-oshdwnr7-1306743016.bj.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincs.sharksbaby.pro | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainlisten.appstored.store | Cobalt Strike botnet C2 domain (confidence level: 100%) |
File
Value | Description | Copy |
---|---|---|
file89.117.74.176 | AdWind botnet C2 server (confidence level: 100%) | |
file89.117.74.176 | AdWind botnet C2 server (confidence level: 100%) | |
file89.117.74.176 | AdWind botnet C2 server (confidence level: 100%) | |
file18.158.249.75 | NjRAT botnet C2 server (confidence level: 100%) | |
file35.158.159.254 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.127.253.86 | NjRAT botnet C2 server (confidence level: 100%) | |
file52.28.112.211 | NjRAT botnet C2 server (confidence level: 100%) | |
file18.198.77.177 | NjRAT botnet C2 server (confidence level: 100%) | |
file43.140.252.169 | SparkRAT botnet C2 server (confidence level: 75%) | |
file51.222.196.70 | Unknown malware botnet C2 server (confidence level: 50%) | |
file44.211.190.165 | Unknown malware botnet C2 server (confidence level: 50%) | |
file73.196.213.146 | Havoc botnet C2 server (confidence level: 50%) | |
file117.50.178.24 | Havoc botnet C2 server (confidence level: 50%) | |
file18.184.92.206 | Responder botnet C2 server (confidence level: 50%) | |
file114.115.129.32 | pupy botnet C2 server (confidence level: 50%) | |
file113.31.116.173 | Unknown malware botnet C2 server (confidence level: 50%) | |
file80.85.241.108 | Vidar botnet C2 server (confidence level: 100%) | |
file124.223.222.199 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file150.158.173.125 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file85.111.90.157 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file13.229.134.180 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file209.25.141.229 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.67.112.102 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.67.62.142 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.64.4.198 | NjRAT botnet C2 server (confidence level: 100%) | |
file5.75.211.215 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file79.110.48.87 | Remcos botnet C2 server (confidence level: 100%) | |
file3.22.30.40 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.134.125.175 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.13.191.225 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.14.182.203 | NjRAT botnet C2 server (confidence level: 100%) | |
file194.180.48.160 | Ave Maria botnet C2 server (confidence level: 100%) | |
file45.12.253.107 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.12.253.107 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file3.125.209.94 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.125.223.134 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.124.142.205 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.125.102.39 | NjRAT botnet C2 server (confidence level: 100%) | |
file18.192.31.165 | NjRAT botnet C2 server (confidence level: 100%) | |
file150.158.173.125 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.225.75.68 | Ave Maria botnet C2 server (confidence level: 100%) | |
file172.233.240.65 | Sliver botnet C2 server (confidence level: 50%) | |
file172.233.240.65 | Sliver botnet C2 server (confidence level: 50%) | |
file118.193.37.157 | Sliver botnet C2 server (confidence level: 50%) | |
file91.223.208.155 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
file170.178.201.212 | Unknown malware botnet C2 server (confidence level: 50%) | |
file204.152.203.90 | BianLian botnet C2 server (confidence level: 50%) | |
file212.118.42.117 | BianLian botnet C2 server (confidence level: 50%) | |
file34.207.174.202 | BianLian botnet C2 server (confidence level: 50%) | |
file167.172.86.3 | Havoc botnet C2 server (confidence level: 50%) | |
file206.188.197.20 | Havoc botnet C2 server (confidence level: 50%) | |
file73.196.213.146 | Havoc botnet C2 server (confidence level: 50%) | |
file24.199.106.201 | Havoc botnet C2 server (confidence level: 50%) | |
file209.51.171.194 | Responder botnet C2 server (confidence level: 50%) | |
file18.184.92.206 | Responder botnet C2 server (confidence level: 50%) | |
file18.184.92.206 | Responder botnet C2 server (confidence level: 50%) | |
file63.34.170.255 | Responder botnet C2 server (confidence level: 50%) | |
file185.82.200.121 | Unknown malware botnet C2 server (confidence level: 50%) | |
file45.145.229.102 | Unknown malware botnet C2 server (confidence level: 50%) | |
file42.228.212.209 | Unknown malware botnet C2 server (confidence level: 50%) | |
file179.13.2.154 | Remcos botnet C2 server (confidence level: 100%) | |
file185.132.125.151 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.110.149.136 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file194.15.102.26 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file141.98.6.249 | Loki Password Stealer (PWS) botnet C2 server (confidence level: 50%) | |
file193.109.120.108 | IcedID botnet C2 server (confidence level: 75%) | |
file66.63.168.126 | IcedID botnet C2 server (confidence level: 75%) | |
file38.207.179.124 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file194.26.192.178 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file13.229.134.180 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Hash
Value | Description | Copy |
---|---|---|
hash2626 | AdWind botnet C2 server (confidence level: 100%) | |
hash8081 | AdWind botnet C2 server (confidence level: 100%) | |
hash9090 | AdWind botnet C2 server (confidence level: 100%) | |
hash19120 | NjRAT botnet C2 server (confidence level: 100%) | |
hash15300 | NjRAT botnet C2 server (confidence level: 100%) | |
hash15300 | NjRAT botnet C2 server (confidence level: 100%) | |
hash15300 | NjRAT botnet C2 server (confidence level: 100%) | |
hash15300 | NjRAT botnet C2 server (confidence level: 100%) | |
hash8000 | SparkRAT botnet C2 server (confidence level: 75%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | Havoc botnet C2 server (confidence level: 50%) | |
hash8088 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash18443 | pupy botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash54720 | NjRAT botnet C2 server (confidence level: 100%) | |
hash10309 | NjRAT botnet C2 server (confidence level: 100%) | |
hash10309 | NjRAT botnet C2 server (confidence level: 100%) | |
hash10309 | NjRAT botnet C2 server (confidence level: 100%) | |
hash40309 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash2402 | Remcos botnet C2 server (confidence level: 100%) | |
hash25565 | NjRAT botnet C2 server (confidence level: 100%) | |
hash25565 | NjRAT botnet C2 server (confidence level: 100%) | |
hash25565 | NjRAT botnet C2 server (confidence level: 100%) | |
hash25565 | NjRAT botnet C2 server (confidence level: 100%) | |
hash4898 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash15305 | NjRAT botnet C2 server (confidence level: 100%) | |
hash15305 | NjRAT botnet C2 server (confidence level: 100%) | |
hash15305 | NjRAT botnet C2 server (confidence level: 100%) | |
hash15305 | NjRAT botnet C2 server (confidence level: 100%) | |
hash15305 | NjRAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2222 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash8888 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash8443 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash5903 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash8080 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash5986 | Responder botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8000 | Remcos botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8383 | Loki Password Stealer (PWS) botnet C2 server (confidence level: 50%) | |
hash80 | IcedID botnet C2 server (confidence level: 75%) | |
hash80 | IcedID botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash29662 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Url
Value | Description | Copy |
---|---|---|
urlhttps://vvooowkdqddcqcqcdqggggl.site/vvmd54/ | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://46.18.107.229/wordpressvmimagepacket/1/temporarysql76/phplow2eternal/temphttpvoiddb0/togeo/imagebase/to/64packettest/securelongpoll/better/7/windows58/line/6voiddbcentral/jsupdatewordpress.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://fresh1.oracover.buzz/_errorpages/fresh1/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://5.161.188.133/69b3ae67feef2db7.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://menufreith.sytes.net:8383/ijbjvdgfsh/panel/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttp://popopuns.club | Alien botnet C2 (confidence level: 80%) | |
urlhttp://uniquebbs.asia | Alien botnet C2 (confidence level: 80%) | |
urlhttp://avvmain.online | Alien botnet C2 (confidence level: 80%) | |
urlhttp://62.109.0.255/uploadslinuximage5/processor6/cdn/dbgenerator/mariadbgeo/flowerlinux5/mariadbpipesecure/5secure/polldle1provider/protectdownloads/7update2test/localdefault/line/track/eternal8/trackjavascriptapi/pollasynccdncentral.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://80.85.241.108/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://80.85.241.108/liux.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://124.223.222.199/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://qianxin.edr-down.uk/owa/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://sybercodesilver.lol/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://13.229.134.180/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://poqwjoemqzmemzgqegzqzf.online/vvmd54/ | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://qianxin.edr-down.uk/owa/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://141.98.6.249/vdgfsh/panel/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://141.98.6.249:8383/vdgfsh/panel/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttps://fwe43.danamoninternal.com/jquery-3.6.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://fxe12.danamoninternal.com/jquery-3.6.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://116.62.138.140:8081/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-oshdwnr7-1306743016.bj.apigw.tencentcs.com/api/ymget0905 | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://152.136.35.240/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://165.154.130.222:4444/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://165.154.130.222:1234/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-oshdwnr7-1306743016.bj.apigw.tencentcs.com/api/ymget0905 | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.221.183.95:9966/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://119.3.177.241:8888/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://139.199.180.136/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://82.157.101.73:88/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://49.232.197.218:8092/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.159.203.44:8001/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://120.53.86.130:8443/level/v5.7/azf0zh83ykv | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.153.222.28:4646/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.220.189.137:8888/clemente/details | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.155.42.254:111/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://198.98.52.184:20001/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://192.144.234.209/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.153.222.28/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://152.136.47.4/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://118.89.71.205:9999/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://110.40.184.247/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://api.0nedriveup.com/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.15.244.128:8088/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://175.24.163.235/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://cs.sharksbaby.pro/destroy/v6.82/e4qyn5hvxj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.94.42.61:8091/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://38.207.179.124/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://116.204.104.60:808/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://116.62.114.96:8080/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://listen.appstored.store/apple-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://13.229.134.180/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://br3dq.shop/pl341/index.php | Azorult botnet C2 (confidence level: 100%) |
Threat ID: 682acdc4bbaf20d303f216c9
Added to database: 5/19/2025, 6:20:52 AM
Last enriched: 6/18/2025, 7:51:15 AM
Last updated: 8/18/2025, 12:37:40 PM
Views: 15
Related Threats
ThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.