ThreatFox IOCs for 2023-09-13
ThreatFox IOCs for 2023-09-13
AI Analysis
Technical Summary
The provided threat intelligence pertains to a malware-related report titled "ThreatFox IOCs for 2023-09-13," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) primarily related to open-source intelligence (OSINT). The report itself is categorized under 'type:osint' and is marked with a medium severity level. However, it lacks detailed technical specifics such as affected software versions, Common Weakness Enumerations (CWEs), or patch information. The absence of known exploits in the wild and the lack of concrete IOCs or malware signatures suggest that this report is more of a situational awareness update rather than an alert about an active, widespread threat. The technical details indicate a low to moderate threat level (threatLevel: 2 on an unspecified scale) with minimal analysis depth (analysis: 1) but a relatively higher distribution score (distribution: 3), which could imply that the malware or its indicators have been observed in multiple environments or regions. Given the nature of the data, this threat likely involves malware samples or indicators collected for research or monitoring purposes rather than an immediate, targeted attack campaign. The 'tlp:white' tag indicates that the information is intended for broad sharing without restrictions, further supporting the notion that this is a general intelligence update. Overall, the technical summary points to a medium-severity malware-related intelligence report with limited actionable details, primarily serving as a repository of IOCs for security teams to incorporate into their detection frameworks.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the lack of specific exploit details, affected products, or active exploitation reports. However, the presence of malware-related IOCs in ThreatFox suggests that some level of reconnaissance or low-level distribution has been observed. If these IOCs correspond to malware variants capable of data exfiltration, lateral movement, or persistence, organizations could face risks to confidentiality and integrity. The medium severity rating implies a moderate risk, potentially affecting detection and response capabilities if organizations do not integrate these IOCs into their security monitoring tools. Since no particular sectors or systems are identified, the impact is generalized but could be more pronounced in industries with high exposure to OSINT-based threats, such as government, defense, or critical infrastructure sectors. The absence of known exploits in the wild reduces the immediate threat to availability or operational continuity. Nonetheless, European entities should remain vigilant as the distribution score suggests that the malware or its indicators are present in multiple environments, possibly including European networks.
Mitigation Recommendations
Given the limited technical details, mitigation should focus on enhancing detection and preparedness rather than specific patching or configuration changes. European organizations should: 1) Integrate the latest ThreatFox IOCs into their Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to improve detection of related malware activity. 2) Conduct threat hunting exercises using the provided IOCs to identify any latent infections or suspicious activities within their networks. 3) Maintain up-to-date malware signatures and heuristic detection capabilities to catch variants that may not yet be fully characterized. 4) Educate security teams about the nature of OSINT-derived threats and encourage monitoring of open-source intelligence feeds for emerging indicators. 5) Implement network segmentation and strict access controls to limit potential lateral movement should the malware be present. 6) Since no patches are indicated, focus on general best practices such as timely software updates, multi-factor authentication, and regular backups to mitigate potential impacts from unknown malware threats.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- file: 38.6.163.99
- hash: 443
- file: 117.78.4.157
- hash: 80
- file: 185.194.148.21
- hash: 2083
- file: 188.166.191.209
- hash: 80
- file: 45.141.139.227
- hash: 3790
- file: 43.129.183.133
- hash: 80
- file: 179.61.246.206
- hash: 3790
- file: 94.156.253.138
- hash: 80
- file: 101.34.36.115
- hash: 8021
- file: 8.218.151.8
- hash: 8080
- file: 123.207.20.16
- hash: 5555
- domain: sirr.tiscali.buzz
- domain: t.takaelot.com
- file: 46.101.108.125
- hash: 53
- file: 119.29.217.126
- hash: 443
- file: 34.92.125.242
- hash: 80
- domain: clouds.localhost-microsoft.com
- file: 43.129.28.136
- hash: 53
- file: 110.42.222.61
- hash: 80
- url: https://heike.teofilius.de/blog.php
- file: 175.178.237.218
- hash: 443
- file: 95.214.27.111
- hash: 1414
- file: 179.43.162.54
- hash: 443
- file: 39.105.231.22
- hash: 8443
- file: 103.186.65.161
- hash: 443
- file: 38.92.97.11
- hash: 3790
- file: 62.106.84.215
- hash: 4444
- file: 82.153.138.238
- hash: 8081
- file: 43.143.224.71
- hash: 80
- file: 163.123.143.227
- hash: 443
- file: 47.104.212.159
- hash: 80
- file: 5.75.212.216
- hash: 27015
- file: 116.203.7.16
- hash: 80
- url: http://5.75.212.216:27015/
- url: http://116.203.7.16/
- url: http://5.75.212.216:27015/htdocs.zip
- url: http://116.203.7.16/htdocs.zip
- file: 147.78.47.238
- hash: 7443
- file: 8.219.217.130
- hash: 443
- file: 124.222.181.240
- hash: 7443
- file: 61.121.83.154
- hash: 9090
- file: 143.198.46.29
- hash: 5060
- file: 209.38.212.101
- hash: 443
- file: 193.149.190.230
- hash: 443
- file: 159.223.205.33
- hash: 443
- file: 94.102.59.188
- hash: 445
- file: 104.200.16.74
- hash: 443
- file: 182.160.0.248
- hash: 8888
- file: 123.11.143.174
- hash: 8888
- file: 154.40.45.92
- hash: 8888
- file: 45.89.229.24
- hash: 443
- url: http://service-lqymkqhs-1306655841.gz.apigw.tencentcs.com/api/x
- domain: service-lqymkqhs-1306655841.gz.apigw.tencentcs.com
- file: 60.204.151.115
- hash: 80
- url: http://139.155.90.81:8001/ie9compatviewlist.xml
- domain: silentlegion.duckdns.org
- file: 115.159.222.197
- hash: 9092
- file: 54.179.236.48
- hash: 3790
- file: 139.59.19.114
- hash: 443
- file: 47.99.111.2
- hash: 443
- url: https://54.251.198.129/dot.gif
- file: 54.251.198.129
- hash: 443
- url: https://137.184.97.84:8989/inquiry/meta-inf/yvhac4j11i
- url: https://casualscorner.com/design/query/9x5m3soe0f
- domain: casualscorner.com
- file: 146.0.79.18
- hash: 443
- url: https://43.138.218.97/pixel.gif
- file: 43.138.218.97
- hash: 443
- file: 136.244.105.184
- hash: 31620
- domain: restohalto.site
- url: https://scauditora.cl/absorbability
- url: https://vocesdelatinoamerica.com/personification
- url: https://monkey-lab.net/ggl-live/wp/wp-admin/css/colors/blue/7197.7z
- file: 47.93.121.204
- hash: 80
- url: http://gaspatchommm.fun/
- file: 119.3.253.250
- hash: 8001
- file: 88.210.11.219
- hash: 8443
- file: 42.117.107.194
- hash: 9246
- domain: xdanetnow.duckdns.org
- url: http://47.120.9.35/g.pixel
- url: http://134.122.204.140:10011/en_us/all.js
- url: http://111.67.195.154:8011/cm
- file: 94.156.6.20
- hash: 3388
- file: 124.70.179.54
- hash: 8888
- file: 8.135.60.95
- hash: 80
- file: 206.189.113.118
- hash: 8008
- file: 20.237.12.116
- hash: 443
- file: 81.70.105.161
- hash: 80
- url: http://gapi-alpha.io/c2conf
- file: 4.151.131.10
- hash: 1010
- hash: fd67ad03cc71d3397f962896365ed510
- domain: gapi-alpha.io
- file: 175.27.221.235
- hash: 443
- file: 148.66.6.27
- hash: 443
- file: 38.132.122.198
- hash: 443
- file: 206.189.113.118
- hash: 4433
- file: 101.34.46.239
- hash: 80
- file: 77.92.95.144
- hash: 3790
- url: https://imas.uk.com/blog.php
- url: https://ikhwarn.com/blog.php
- domain: gurdubigoma.com
- file: 185.94.29.109
- hash: 1111
- file: 106.55.181.108
- hash: 8090
- url: http://wishpeople.duckdns.org:9071/is-ready
- file: 2.59.254.205
- hash: 9071
- file: 101.33.117.154
- hash: 2111
- domain: bikeontop.shop
- domain: dreamteamup.shop
- domain: positivereview.cloud
- domain: whatup.cloud
- file: 45.141.87.89
- hash: 9999
- url: http://185.244.48.221/753e391766d6b25f.php
- file: 62.4.17.47
- hash: 443
- file: 116.62.188.205
- hash: 6666
- file: 81.141.154.137
- hash: 7443
- file: 3.215.181.98
- hash: 443
- file: 64.176.211.167
- hash: 80
- file: 139.180.158.92
- hash: 443
- file: 44.195.147.254
- hash: 80
- file: 38.242.21.30
- hash: 80
- file: 89.117.53.115
- hash: 5985
- file: 162.221.25.38
- hash: 80
- file: 158.160.16.61
- hash: 5986
- file: 158.160.16.61
- hash: 443
- file: 43.154.223.191
- hash: 8888
- file: 154.39.150.181
- hash: 8556
- file: 139.198.174.173
- hash: 8888
- file: 106.75.251.142
- hash: 8888
- file: 62.234.27.11
- hash: 8888
- file: 39.105.231.22
- hash: 5555
- file: 185.225.75.69
- hash: 8443
- file: 82.156.135.7
- hash: 80
- file: 139.59.65.211
- hash: 443
- file: 64.176.212.23
- hash: 80
- url: https://104.168.201.195/ga.js
- file: 104.168.201.195
- hash: 443
- url: https://85.31.233.108/visit.js
- file: 85.31.233.108
- hash: 443
- url: https://sectorzerosecurity.com/__utm.gif
- domain: sectorzerosecurity.com
- file: 138.197.174.202
- hash: 443
- url: http://185.215.113.35/bkd7djmsa/index.php
- url: http://82.157.57.66/pixel.gif
- url: http://124.70.53.30:8000/ptj
- url: http://104.168.201.195/ca
- file: 104.168.201.195
- hash: 80
- url: https://34.124.197.156:8443/dpixel
- url: https://d1qzl7xiwymjyn.cloudfront.net/groupcp.html
- domain: d1qzl7xiwymjyn.cloudfront.net
- url: https://212.192.15.231:8443/jquery-3.3.1.min.js
- url: https://143.198.26.169/ga.js
- file: 143.198.26.169
- hash: 443
- url: https://service-gnzojfcb-1302811215.sh.apigw.tencentcs.com/bootstrap-5.3.1.min.js
- url: http://app.baidu-soft.com/ie9compatviewlist.xml
- domain: app.baidu-soft.com
- url: http://172.111.50.113/updates.rss
- file: 185.81.157.153
- hash: 55
- file: 185.81.157.153
- hash: 100
- file: 139.59.29.78
- hash: 80
- file: 51.89.12.10
- hash: 6606
- url: http://139.196.191.50:8099/g.pixel
- url: http://154.90.57.70:9090/cm
- url: https://sunshine.nicetrue.one:8443/login.jsp
- url: http://120.48.74.67:8001/dot.gif
- url: https://download.updatebrowser.cn:8443/0rzdkxr/adgjj4b3vrspav9kc3mxi80ofd.css
- domain: download.updatebrowser.cn
- url: https://service-d1yss7wi-1314780031.nj.apigw.tencentcs.com/www/handle/doc
- domain: service-d1yss7wi-1314780031.nj.apigw.tencentcs.com
- url: http://43.138.30.109:8888/dot.gif
- url: https://47.101.41.158:37676/dpixel
- url: https://43.153.222.28/ca
- url: http://175.24.235.158:6060/match
- url: https://43.138.30.109:7777/ptj
- url: https://124.71.84.65/g.pixel
- url: http://107.172.201.137/ie9compatviewlist.xml
- url: http://110.41.11.72/dot.gif
- url: https://1.117.93.65/visit.js
- url: https://47.120.11.176/fwlink
- file: 185.81.157.154
- hash: 2301
- url: https://101.43.127.45:8443/pixel
- url: http://124.223.22.86/g.pixel
- url: https://43.138.179.199/ca
- url: http://8.142.117.220/updates.rss
- url: http://120.78.156.73:12345/pixel.gif
- url: http://111.231.24.230:54322/dpixel
- url: http://150.158.181.243:8011/dpixel
- url: https://47.101.170.17/dot.gif
- url: http://43.138.62.36:8081/en_us/all.js
- url: https://134.122.204.140/load
- url: https://www.5cq.com/ms
- domain: www.5cq.com
- url: https://139.155.154.67/ie9compatviewlist.xml
- url: https://3.72.68.180/dot.gif
- url: https://120.48.74.67/ga.js
- url: https://api.0nedriveup.com/fwlink
- url: https://34.92.125.242/cm
- url: https://101.32.186.170/pixel.gif
- file: 185.117.91.202
- hash: 999
- url: http://service-fdlpxzmu-1258021343.gz.apigw.tencentcs.com/api/x
- domain: service-fdlpxzmu-1258021343.gz.apigw.tencentcs.com
- url: http://103.30.43.148:4500/ga.js
- url: http://43.138.62.36:7001/pixel
- url: http://106.75.2.57:7000/g.pixel
- url: http://43.138.179.199:808/ca
- url: http://82.115.223.34/pixel
- url: http://42.193.44.136/g.pixel
- url: http://47.101.170.17:8888/push
- url: http://43.138.30.109:7524/ca
- url: https://43.138.179.199:1811/pixel.gif
- url: http://43.138.62.36:8080/fwlink
- url: http://43.136.14.250/load
- url: http://content.microsoft.com.w.kunlunca.com/en_us/all.js
- url: https://incitewebsolution.com/av
- url: http://124.70.129.64:9090/api/x
- url: https://43.138.62.36/dpixel
- url: http://139.155.154.67:8089/match
- file: 206.53.55.186
- hash: 8181
ThreatFox IOCs for 2023-09-13
Description
ThreatFox IOCs for 2023-09-13
AI-Powered Analysis
Technical Analysis
The provided threat intelligence pertains to a malware-related report titled "ThreatFox IOCs for 2023-09-13," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) primarily related to open-source intelligence (OSINT). The report itself is categorized under 'type:osint' and is marked with a medium severity level. However, it lacks detailed technical specifics such as affected software versions, Common Weakness Enumerations (CWEs), or patch information. The absence of known exploits in the wild and the lack of concrete IOCs or malware signatures suggest that this report is more of a situational awareness update rather than an alert about an active, widespread threat. The technical details indicate a low to moderate threat level (threatLevel: 2 on an unspecified scale) with minimal analysis depth (analysis: 1) but a relatively higher distribution score (distribution: 3), which could imply that the malware or its indicators have been observed in multiple environments or regions. Given the nature of the data, this threat likely involves malware samples or indicators collected for research or monitoring purposes rather than an immediate, targeted attack campaign. The 'tlp:white' tag indicates that the information is intended for broad sharing without restrictions, further supporting the notion that this is a general intelligence update. Overall, the technical summary points to a medium-severity malware-related intelligence report with limited actionable details, primarily serving as a repository of IOCs for security teams to incorporate into their detection frameworks.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the lack of specific exploit details, affected products, or active exploitation reports. However, the presence of malware-related IOCs in ThreatFox suggests that some level of reconnaissance or low-level distribution has been observed. If these IOCs correspond to malware variants capable of data exfiltration, lateral movement, or persistence, organizations could face risks to confidentiality and integrity. The medium severity rating implies a moderate risk, potentially affecting detection and response capabilities if organizations do not integrate these IOCs into their security monitoring tools. Since no particular sectors or systems are identified, the impact is generalized but could be more pronounced in industries with high exposure to OSINT-based threats, such as government, defense, or critical infrastructure sectors. The absence of known exploits in the wild reduces the immediate threat to availability or operational continuity. Nonetheless, European entities should remain vigilant as the distribution score suggests that the malware or its indicators are present in multiple environments, possibly including European networks.
Mitigation Recommendations
Given the limited technical details, mitigation should focus on enhancing detection and preparedness rather than specific patching or configuration changes. European organizations should: 1) Integrate the latest ThreatFox IOCs into their Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to improve detection of related malware activity. 2) Conduct threat hunting exercises using the provided IOCs to identify any latent infections or suspicious activities within their networks. 3) Maintain up-to-date malware signatures and heuristic detection capabilities to catch variants that may not yet be fully characterized. 4) Educate security teams about the nature of OSINT-derived threats and encourage monitoring of open-source intelligence feeds for emerging indicators. 5) Implement network segmentation and strict access controls to limit potential lateral movement should the malware be present. 6) Since no patches are indicated, focus on general best practices such as timely software updates, multi-factor authentication, and regular backups to mitigate potential impacts from unknown malware threats.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- f2907247-1258-4819-aeff-de8ea605fec9
- Original Timestamp
- 1694649786
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file38.6.163.99 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file117.78.4.157 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file185.194.148.21 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file188.166.191.209 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file45.141.139.227 | Meterpreter botnet C2 server (confidence level: 80%) | |
file43.129.183.133 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file179.61.246.206 | Meterpreter botnet C2 server (confidence level: 80%) | |
file94.156.253.138 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file101.34.36.115 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file8.218.151.8 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file123.207.20.16 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file46.101.108.125 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file119.29.217.126 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file34.92.125.242 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file43.129.28.136 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file110.42.222.61 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file175.178.237.218 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file95.214.27.111 | STRRAT botnet C2 server (confidence level: 100%) | |
file179.43.162.54 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file39.105.231.22 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file103.186.65.161 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file38.92.97.11 | Meterpreter botnet C2 server (confidence level: 80%) | |
file62.106.84.215 | AsyncRAT botnet C2 server (confidence level: 80%) | |
file82.153.138.238 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file43.143.224.71 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file163.123.143.227 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file47.104.212.159 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file5.75.212.216 | Vidar botnet C2 server (confidence level: 100%) | |
file116.203.7.16 | Vidar botnet C2 server (confidence level: 100%) | |
file147.78.47.238 | Unknown malware botnet C2 server (confidence level: 50%) | |
file8.219.217.130 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
file124.222.181.240 | Unknown malware botnet C2 server (confidence level: 50%) | |
file61.121.83.154 | Deimos botnet C2 server (confidence level: 50%) | |
file143.198.46.29 | BianLian botnet C2 server (confidence level: 50%) | |
file209.38.212.101 | Havoc botnet C2 server (confidence level: 50%) | |
file193.149.190.230 | Havoc botnet C2 server (confidence level: 50%) | |
file159.223.205.33 | Havoc botnet C2 server (confidence level: 50%) | |
file94.102.59.188 | Responder botnet C2 server (confidence level: 50%) | |
file104.200.16.74 | Responder botnet C2 server (confidence level: 50%) | |
file182.160.0.248 | Unknown malware botnet C2 server (confidence level: 50%) | |
file123.11.143.174 | Unknown malware botnet C2 server (confidence level: 50%) | |
file154.40.45.92 | Unknown malware botnet C2 server (confidence level: 50%) | |
file45.89.229.24 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file60.204.151.115 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file115.159.222.197 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file54.179.236.48 | Meterpreter botnet C2 server (confidence level: 80%) | |
file139.59.19.114 | IcedID botnet C2 server (confidence level: 100%) | |
file47.99.111.2 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file54.251.198.129 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file146.0.79.18 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.138.218.97 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file136.244.105.184 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file47.93.121.204 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file119.3.253.250 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file88.210.11.219 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file42.117.107.194 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file94.156.6.20 | NjRAT botnet C2 server (confidence level: 100%) | |
file124.70.179.54 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file8.135.60.95 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file206.189.113.118 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file20.237.12.116 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file81.70.105.161 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file4.151.131.10 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file175.27.221.235 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file148.66.6.27 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file38.132.122.198 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file206.189.113.118 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file101.34.46.239 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file77.92.95.144 | Meterpreter botnet C2 server (confidence level: 80%) | |
file185.94.29.109 | NjRAT botnet C2 server (confidence level: 100%) | |
file106.55.181.108 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file2.59.254.205 | Vjw0rm botnet C2 server (confidence level: 100%) | |
file101.33.117.154 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file45.141.87.89 | DarkGate botnet C2 server (confidence level: 100%) | |
file62.4.17.47 | BumbleBee botnet C2 server (confidence level: 75%) | |
file116.62.188.205 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file81.141.154.137 | Unknown malware botnet C2 server (confidence level: 50%) | |
file3.215.181.98 | Havoc botnet C2 server (confidence level: 50%) | |
file64.176.211.167 | Havoc botnet C2 server (confidence level: 50%) | |
file139.180.158.92 | Havoc botnet C2 server (confidence level: 50%) | |
file44.195.147.254 | Responder botnet C2 server (confidence level: 50%) | |
file38.242.21.30 | Responder botnet C2 server (confidence level: 50%) | |
file89.117.53.115 | Responder botnet C2 server (confidence level: 50%) | |
file162.221.25.38 | Responder botnet C2 server (confidence level: 50%) | |
file158.160.16.61 | Responder botnet C2 server (confidence level: 50%) | |
file158.160.16.61 | Responder botnet C2 server (confidence level: 50%) | |
file43.154.223.191 | Unknown malware botnet C2 server (confidence level: 50%) | |
file154.39.150.181 | Unknown malware botnet C2 server (confidence level: 50%) | |
file139.198.174.173 | Unknown malware botnet C2 server (confidence level: 50%) | |
file106.75.251.142 | Unknown malware botnet C2 server (confidence level: 50%) | |
file62.234.27.11 | Unknown malware botnet C2 server (confidence level: 50%) | |
file39.105.231.22 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file185.225.75.69 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file82.156.135.7 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file139.59.65.211 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file64.176.212.23 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file104.168.201.195 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file85.31.233.108 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file138.197.174.202 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.168.201.195 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file143.198.26.169 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.81.157.153 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file185.81.157.153 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file139.59.29.78 | IcedID botnet C2 server (confidence level: 75%) | |
file51.89.12.10 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.81.157.154 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.117.91.202 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file206.53.55.186 | AsyncRAT botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash2083 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8021 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash5555 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash1414 | STRRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash4444 | AsyncRAT botnet C2 server (confidence level: 80%) | |
hash8081 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash27015 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash9090 | Deimos botnet C2 server (confidence level: 50%) | |
hash5060 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9092 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash443 | IcedID botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash31620 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8001 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash9246 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash3388 | NjRAT botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8008 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash1010 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hashfd67ad03cc71d3397f962896365ed510 | RokRAT payload (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash1111 | NjRAT botnet C2 server (confidence level: 100%) | |
hash8090 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash9071 | Vjw0rm botnet C2 server (confidence level: 100%) | |
hash2111 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash9999 | DarkGate botnet C2 server (confidence level: 100%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash6666 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash80 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash5985 | Responder botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash5986 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | Responder botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8556 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash5555 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash55 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash100 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash80 | IcedID botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2301 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash999 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8181 | AsyncRAT botnet C2 server (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainsirr.tiscali.buzz | Loki Password Stealer (PWS) botnet C2 domain (confidence level: 50%) | |
domaint.takaelot.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainclouds.localhost-microsoft.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-lqymkqhs-1306655841.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainsilentlegion.duckdns.org | SupremeBot botnet C2 domain (confidence level: 100%) | |
domaincasualscorner.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainrestohalto.site | IcedID Downloader botnet C2 domain (confidence level: 75%) | |
domainxdanetnow.duckdns.org | Nanocore RAT botnet C2 domain (confidence level: 100%) | |
domaingapi-alpha.io | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaingurdubigoma.com | IcedID botnet C2 domain (confidence level: 80%) | |
domainbikeontop.shop | DarkGate botnet C2 domain (confidence level: 100%) | |
domaindreamteamup.shop | DarkGate botnet C2 domain (confidence level: 100%) | |
domainpositivereview.cloud | DarkGate botnet C2 domain (confidence level: 100%) | |
domainwhatup.cloud | DarkGate botnet C2 domain (confidence level: 100%) | |
domainsectorzerosecurity.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaind1qzl7xiwymjyn.cloudfront.net | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainapp.baidu-soft.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaindownload.updatebrowser.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-d1yss7wi-1314780031.nj.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.5cq.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-fdlpxzmu-1258021343.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://heike.teofilius.de/blog.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://5.75.212.216:27015/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.203.7.16/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://5.75.212.216:27015/htdocs.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://116.203.7.16/htdocs.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://service-lqymkqhs-1306655841.gz.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.155.90.81:8001/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://54.251.198.129/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://137.184.97.84:8989/inquiry/meta-inf/yvhac4j11i | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://casualscorner.com/design/query/9x5m3soe0f | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.138.218.97/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://scauditora.cl/absorbability | IcedID payload delivery URL (confidence level: 100%) | |
urlhttps://vocesdelatinoamerica.com/personification | IcedID payload delivery URL (confidence level: 100%) | |
urlhttps://monkey-lab.net/ggl-live/wp/wp-admin/css/colors/blue/7197.7z | IcedID payload delivery URL (confidence level: 100%) | |
urlhttp://gaspatchommm.fun/ | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://47.120.9.35/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://134.122.204.140:10011/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://111.67.195.154:8011/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://gapi-alpha.io/c2conf | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://imas.uk.com/blog.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://ikhwarn.com/blog.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://wishpeople.duckdns.org:9071/is-ready | Houdini botnet C2 (confidence level: 100%) | |
urlhttp://185.244.48.221/753e391766d6b25f.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttps://104.168.201.195/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://85.31.233.108/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://sectorzerosecurity.com/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://185.215.113.35/bkd7djmsa/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://82.157.57.66/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.70.53.30:8000/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://104.168.201.195/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://34.124.197.156:8443/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://d1qzl7xiwymjyn.cloudfront.net/groupcp.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://212.192.15.231:8443/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://143.198.26.169/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-gnzojfcb-1302811215.sh.apigw.tencentcs.com/bootstrap-5.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://app.baidu-soft.com/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://172.111.50.113/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.196.191.50:8099/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://154.90.57.70:9090/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://sunshine.nicetrue.one:8443/login.jsp | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://120.48.74.67:8001/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://download.updatebrowser.cn:8443/0rzdkxr/adgjj4b3vrspav9kc3mxi80ofd.css | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-d1yss7wi-1314780031.nj.apigw.tencentcs.com/www/handle/doc | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.30.109:8888/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.101.41.158:37676/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.153.222.28/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://175.24.235.158:6060/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.138.30.109:7777/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.71.84.65/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://107.172.201.137/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://110.41.11.72/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://1.117.93.65/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.120.11.176/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.43.127.45:8443/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.223.22.86/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.138.179.199/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.142.117.220/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://120.78.156.73:12345/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://111.231.24.230:54322/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://150.158.181.243:8011/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.101.170.17/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.62.36:8081/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://134.122.204.140/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://www.5cq.com/ms | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://139.155.154.67/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://3.72.68.180/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://120.48.74.67/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://api.0nedriveup.com/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://34.92.125.242/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.32.186.170/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-fdlpxzmu-1258021343.gz.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://103.30.43.148:4500/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.62.36:7001/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://106.75.2.57:7000/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.179.199:808/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://82.115.223.34/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://42.193.44.136/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.101.170.17:8888/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.30.109:7524/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.138.179.199:1811/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.62.36:8080/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.136.14.250/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://content.microsoft.com.w.kunlunca.com/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://incitewebsolution.com/av | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.70.129.64:9090/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.138.62.36/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.155.154.67:8089/match | Cobalt Strike botnet C2 (confidence level: 100%) |
Threat ID: 682c7abbe3e6de8ceb74d143
Added to database: 5/20/2025, 12:51:07 PM
Last enriched: 6/19/2025, 1:17:23 PM
Last updated: 8/13/2025, 1:04:25 PM
Views: 9
Related Threats
ThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.