ThreatFox IOCs for 2023-10-06
ThreatFox IOCs for 2023-10-06
AI Analysis
Technical Summary
The provided information pertains to a set of Indicators of Compromise (IOCs) published on 2023-10-06 by the ThreatFox MISP Feed, categorized under malware with a focus on OSINT (Open Source Intelligence), network activity, and payload delivery. The data appears to be a collection of threat intelligence indicators rather than a specific vulnerability or exploit targeting a particular software or hardware product. There are no affected versions listed, no patches available, and no known exploits in the wild, indicating that this is an intelligence feed update rather than a direct exploit or vulnerability disclosure. The threat level is rated as medium, with technical details showing moderate distribution (3) and low threat level (2) and analysis (1) scores, suggesting that while the indicators may be useful for detection and prevention, they do not represent an immediate or critical threat. The absence of specific technical details, affected products, or exploitation methods limits the ability to provide a detailed technical breakdown of the malware or attack vector. Instead, this information serves as a resource for security teams to update their detection capabilities and monitor network activity for signs of the associated threat actors or payload delivery mechanisms.
Potential Impact
For European organizations, the impact of this threat intelligence update is primarily in enhancing situational awareness and improving detection capabilities rather than mitigating an active or critical threat. Since no specific vulnerabilities or exploits are identified, the direct risk to confidentiality, integrity, or availability is low at this time. However, the presence of updated IOCs related to malware and payload delivery could help organizations identify early signs of intrusion or compromise attempts, potentially reducing the dwell time of attackers if these indicators are integrated into security monitoring tools. The medium severity rating suggests that while the threat is not urgent, it should not be ignored, especially for organizations with high-value assets or those in sectors frequently targeted by malware campaigns, such as finance, critical infrastructure, and government entities.
Mitigation Recommendations
European organizations should incorporate the provided IOCs into their existing security information and event management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools to enhance detection of related malicious activity. Regularly updating threat intelligence feeds and correlating these indicators with internal logs can improve early warning capabilities. Additionally, organizations should conduct network traffic analysis focusing on unusual payload delivery patterns and suspicious network activity. Since no patches are available, emphasis should be placed on proactive monitoring, employee awareness training to recognize phishing or social engineering attempts that could deliver malware, and maintaining robust backup and recovery procedures to mitigate potential payload impacts. Collaboration with national cybersecurity centers and sharing intelligence within trusted communities can also enhance collective defense against evolving threats.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- file: 138.201.18.225
- hash: 4449
- domain: nmbvcxzasedrt.com
- url: https://nmbvcxzasedrt.com/vvmd54/
- url: https://nmbvcxzasedrt.com/lander/chrome_1695206714/_index.php
- url: http://fgkdfkfddxzy.xyz
- url: https://nmbvcxzasedrt.com/zgbn19mx
- url: https://fablane.com/cdn-js/minlen.php
- url: https://fablane.com/cdn/qzwewmrqqgqnaww.php
- url: https://residencialcasabrasileira.com/111.php
- url: https://legalny.com.pl/comments.php
- url: http://haroldmoscotelora09.con-ip.com:1995
- url: http://terlevisor23.con-ip.com:1883
- url: http://claudiabetancurlora09.con-ip.com:1995
- url: http://vanidad.con-ip.com:7770
- url: http://artificialleath.fun/api
- url: http://noisemakjelly.fun/api
- domain: sahame.symen.ir
- domain: symen.ir
- url: https://adl-vq.vizvaz.com/saham.apk
- domain: adl-vq.vizvaz.com
- hash: 4e1196b694ec1391ed1874e10f30b2f909a05b9c76828089d2c2aeed5527b687
- hash: 5a736b914a1119389bd94142c013ff5c
- domain: mynameisnull.site
- url: https://mynameisnull.site/config/-1001228456341
- url: https://mynameisnull.site/api/-1001228456341
- url: https://mynameisnull.site/api/
- url: https://mynameisnull.site/config/
- url: https://gta-fportal.com/game/?e=73661
- url: https://gta-fportal.com/game
- url: https://gta-fportal.com
- domain: gta-fportal.com
- url: http://weaselplacerif.fun/api
- file: 80.76.51.70
- hash: 7443
- file: 45.86.163.188
- hash: 100
- file: 45.86.163.188
- hash: 443
- file: 46.148.139.144
- hash: 80
- file: 3.81.68.30
- hash: 443
- file: 34.227.89.96
- hash: 443
- file: 45.138.16.248
- hash: 443
- file: 142.171.158.253
- hash: 8888
- url: https://plawers.com/toa/
- domain: plawers.com
- url: http://146.56.118.82:443/witi
- url: http://5.101.0.245/pixel.gif
- url: http://5.101.0.241/__utm.gif
- url: http://5.101.0.245/activity
- url: http://5.101.0.241/dpixel
- url: http://47.94.130.42:88/en_us/all.js
- url: http://81.161.229.129/match
- url: http://20.237.62.65:4444/ga.js
- url: http://45.207.27.79:8080/ca
- url: http://123.249.115.56:8083/updates.rss
- file: 101.42.41.136
- hash: 10000
- url: https://d2d756ulnohqjs.cloudfront.net/jdbc.htm
- domain: d2d756ulnohqjs.cloudfront.net
- file: 3.138.201.44
- hash: 443
- file: 82.156.136.247
- hash: 443
- url: https://124.70.141.123/jquery-3.3.1.min.js
- url: http://122.9.136.39:7777/dot.gif
- url: http://121.4.50.245:8010/visit.js
- url: http://1.12.60.132:5555/load
- file: 148.66.2.195
- hash: 8080
- url: http://124.220.224.87:5555/ga.js
- url: http://175.178.150.86/ca
- url: http://124.222.149.52:4444/ie9compatviewlist.xml
- url: http://101.43.13.21:9998/ie9compatviewlist.xml
- url: http://124.71.130.71/fwlink
- url: http://165.22.225.110/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- file: 165.22.225.110
- hash: 80
- url: http://103.146.158.207/dpixel
- file: 103.146.158.207
- hash: 80
- url: https://211.149.146.23:10443/api/getit
- url: http://45.152.64.178:8086/j.ad
- url: http://116.205.189.199:6666/jd/
- url: https://upcls.online/c/msdownload/update/others/2020/10/29136388_
- domain: upcls.online
- url: https://79.110.62.156/c/msdownload/update/others/2020/10/29136388_
- file: 79.110.62.156
- hash: 443
- url: http://81.71.68.50:8099/search/
- url: https://51.250.16.184/updates.rss
- file: 51.250.16.184
- hash: 443
- url: http://119.23.52.84:3333/fwlink
- file: 101.42.41.136
- hash: 9999
- file: 60.204.202.16
- hash: 8888
- url: http://72.44.69.115:8001/ca
- url: http://152.136.116.44:8032/jquery-3.3.1.min.js
- file: 101.42.41.136
- hash: 8888
- file: 111.229.252.29
- hash: 8888
- url: http://117.72.35.30:2222/updates.rss
- url: http://185.162.235.241/ptj
- file: 185.162.235.241
- hash: 80
- url: https://43.138.235.42/ie9compatviewlist.xml
- url: https://helloone.accountants.monster:8443/index.jsp
- domain: helloone.accountants.monster
- file: 121.37.206.148
- hash: 8443
- file: 138.68.171.72
- hash: 443
- file: 8.140.20.240
- hash: 80
- url: http://139.9.93.128/ie9compatviewlist.xml
- file: 91.103.253.22
- hash: 1080
- url: http://101.43.70.206:8888/ga.js
- url: http://43.140.199.163:8090/__utm.gif
- url: http://60.204.171.143/cx
- file: 60.204.171.143
- hash: 80
- url: http://101.43.13.21:9999/visit.js
- url: http://82.156.4.204/push
- file: 82.156.4.204
- hash: 80
- url: https://acornservices.org/ex4600.html
- domain: acornservices.org
- file: 5.42.67.7
- hash: 443
- url: http://39.107.233.55/pixel
- url: http://8.134.154.168:6666/load
- url: http://8.130.121.136:8888/en_us/all.js
- url: http://8.140.198.4/cx
- file: 8.140.198.4
- hash: 80
- url: http://124.223.62.233/dot.gif
- url: http://101.46.91.89:4444/en_us/all.js
- file: 101.43.13.21
- hash: 4444
- url: http://118.31.34.136:9988/load
- url: http://123.60.140.76:8000/match
- url: https://pbfenergy.azurewebsites.net/api/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- domain: pbfenergy.azurewebsites.net
- file: 68.183.124.131
- hash: 443
- url: http://106.75.214.55/ie9compatviewlist.xml
- url: http://82.156.136.99:8087/updates.rss
- file: 101.42.41.136
- hash: 10001
- url: http://101.6.15.130:9090/ga.js
- file: 101.32.187.150
- hash: 9090
- url: http://47.74.25.100:7777/fwlink
- url: https://119.45.188.119:8443/jquery-3.3.1.min.js
- url: http://116.205.241.185:50000/updates.rss
- url: http://43.138.235.42/__utm.gif
- file: 43.138.235.42
- hash: 80
- url: http://82.157.154.247/updates.rss
- file: 82.157.154.247
- hash: 80
- url: http://119.23.229.180:8090/match
- url: https://firefox.org.cn:8443/jquery-3.3.1.min.js
- file: 81.70.190.25
- hash: 8443
- url: http://124.220.180.112:84/pixel.gif
- file: 110.42.192.76
- hash: 4444
- url: https://d2cpd93ebiah9g.cloudfront.net/jdbc.htm
- domain: d2cpd93ebiah9g.cloudfront.net
- file: 3.23.99.111
- hash: 443
- url: http://124.222.149.52:9999/cm
- url: http://121.4.154.20:81/__utm.gif
- url: http://82.156.161.35/load
- file: 81.19.138.95
- hash: 443
- file: 82.156.161.35
- hash: 80
- url: https://120.25.167.104/jquery-3.3.1.min.js
- url: https://wsexdrcftgyy191.com/vvmd54/
- url: https://wsexdrcftgyy191.com/zgbn19mx
- url: https://wsexdrcftgyy191.com/lander/chrome_1695206714/_index.php
- file: 20.197.231.178
- hash: 1018
- file: 144.208.127.144
- hash: 443
- url: http://firmpanacewa.fun/api
- url: http://1.117.79.251:88/load
- url: http://119.23.52.84:8000/j.ad
- url: http://101.42.101.185:8008/__utm.gif
- url: https://service-n0tf95ic-1305872204.gz.apigw.tencentcs.com/bootstrap-5.3.1.min.js
- domain: service-n0tf95ic-1305872204.gz.apigw.tencentcs.com
- url: http://1.117.79.251:1234/push
- url: https://lewispublishing.org/comments.php
- url: https://local.silly-beer.com/comments.php
- url: https://manfredfohringer.de/comments.php
- url: https://markadsrad.ru.is/comments.php
- domain: wsexdrcftgyy191.com
- url: http://185.225.75.242/download/xmrig.x86_64
- url: http://npskudlu.com/cllip.exe
- url: http://begonblom.fun/api
- file: 5.42.76.85
- hash: 60195
- domain: fgudhiiugiufgifufgihdhuidfxgd.duckdns.org
- file: 45.66.230.22
- hash: 5200
- file: 45.66.230.22
- hash: 4782
- file: 79.110.62.189
- hash: 30305
- file: 193.26.115.167
- hash: 6606
- file: 193.26.115.167
- hash: 7707
- file: 193.26.115.167
- hash: 8808
- url: http://60.204.202.16:9090/dpixel
- url: http://110.42.192.76/dpixel
- file: 124.223.62.233
- hash: 4444
- file: 185.16.38.41
- hash: 2035
- file: 185.241.208.114
- hash: 5555
- file: 185.241.208.203
- hash: 6606
- url: http://thuspulllig.fun/api
- file: 4.151.131.10
- hash: 2404
- file: 185.16.38.41
- hash: 2023
- file: 185.81.157.21
- hash: 2404
- file: 209.145.56.0
- hash: 57
- file: 185.241.208.42
- hash: 4444
- file: 185.241.208.42
- hash: 2266
- file: 5.42.65.15
- hash: 46324
- file: 193.27.72.137
- hash: 1177
- url: http://45.15.156.141/
- domain: cache.thorjane.com
- file: 38.180.78.177
- hash: 53
- file: 87.239.108.174
- hash: 8443
- file: 87.239.108.174
- hash: 31337
- file: 216.128.141.126
- hash: 7443
- file: 151.236.8.237
- hash: 80
- file: 178.128.111.190
- hash: 443
- file: 20.19.1.146
- hash: 443
- file: 194.182.78.107
- hash: 443
- file: 167.235.149.241
- hash: 445
- file: 44.212.57.147
- hash: 445
- file: 179.13.2.154
- hash: 2323
- file: 193.42.36.101
- hash: 80
- url: http://192.168.0.199/c/msdownload/update/others/2016/12/29136388_
- file: 75.60.22.100
- hash: 80
- url: http://162.14.98.165/__utm.gif
- file: 162.14.98.165
- hash: 80
- url: https://8.137.102.137/fwlink
- file: 8.137.102.137
- hash: 443
- file: 114.116.15.43
- hash: 443
ThreatFox IOCs for 2023-10-06
Description
ThreatFox IOCs for 2023-10-06
AI-Powered Analysis
Technical Analysis
The provided information pertains to a set of Indicators of Compromise (IOCs) published on 2023-10-06 by the ThreatFox MISP Feed, categorized under malware with a focus on OSINT (Open Source Intelligence), network activity, and payload delivery. The data appears to be a collection of threat intelligence indicators rather than a specific vulnerability or exploit targeting a particular software or hardware product. There are no affected versions listed, no patches available, and no known exploits in the wild, indicating that this is an intelligence feed update rather than a direct exploit or vulnerability disclosure. The threat level is rated as medium, with technical details showing moderate distribution (3) and low threat level (2) and analysis (1) scores, suggesting that while the indicators may be useful for detection and prevention, they do not represent an immediate or critical threat. The absence of specific technical details, affected products, or exploitation methods limits the ability to provide a detailed technical breakdown of the malware or attack vector. Instead, this information serves as a resource for security teams to update their detection capabilities and monitor network activity for signs of the associated threat actors or payload delivery mechanisms.
Potential Impact
For European organizations, the impact of this threat intelligence update is primarily in enhancing situational awareness and improving detection capabilities rather than mitigating an active or critical threat. Since no specific vulnerabilities or exploits are identified, the direct risk to confidentiality, integrity, or availability is low at this time. However, the presence of updated IOCs related to malware and payload delivery could help organizations identify early signs of intrusion or compromise attempts, potentially reducing the dwell time of attackers if these indicators are integrated into security monitoring tools. The medium severity rating suggests that while the threat is not urgent, it should not be ignored, especially for organizations with high-value assets or those in sectors frequently targeted by malware campaigns, such as finance, critical infrastructure, and government entities.
Mitigation Recommendations
European organizations should incorporate the provided IOCs into their existing security information and event management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools to enhance detection of related malicious activity. Regularly updating threat intelligence feeds and correlating these indicators with internal logs can improve early warning capabilities. Additionally, organizations should conduct network traffic analysis focusing on unusual payload delivery patterns and suspicious network activity. Since no patches are available, emphasis should be placed on proactive monitoring, employee awareness training to recognize phishing or social engineering attempts that could deliver malware, and maintaining robust backup and recovery procedures to mitigate potential payload impacts. Collaboration with national cybersecurity centers and sharing intelligence within trusted communities can also enhance collective defense against evolving threats.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- fc25e89a-b6f9-4e8c-93a1-2f25e43d65ba
- Original Timestamp
- 1696636986
Indicators of Compromise
File
Value | Description | Copy |
---|---|---|
file138.201.18.225 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file80.76.51.70 | Unknown malware botnet C2 server (confidence level: 50%) | |
file45.86.163.188 | BianLian botnet C2 server (confidence level: 50%) | |
file45.86.163.188 | BianLian botnet C2 server (confidence level: 50%) | |
file46.148.139.144 | BianLian botnet C2 server (confidence level: 50%) | |
file3.81.68.30 | BianLian botnet C2 server (confidence level: 50%) | |
file34.227.89.96 | Havoc botnet C2 server (confidence level: 50%) | |
file45.138.16.248 | Havoc botnet C2 server (confidence level: 50%) | |
file142.171.158.253 | Unknown malware botnet C2 server (confidence level: 50%) | |
file101.42.41.136 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file3.138.201.44 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file82.156.136.247 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file148.66.2.195 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file165.22.225.110 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.146.158.207 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file79.110.62.156 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file51.250.16.184 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file101.42.41.136 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file60.204.202.16 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file101.42.41.136 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file111.229.252.29 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.162.235.241 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file121.37.206.148 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file138.68.171.72 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.140.20.240 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file91.103.253.22 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file60.204.171.143 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file82.156.4.204 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file5.42.67.7 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.140.198.4 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file101.43.13.21 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file68.183.124.131 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file101.42.41.136 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file101.32.187.150 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.138.235.42 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file82.157.154.247 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file81.70.190.25 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file110.42.192.76 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file3.23.99.111 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file81.19.138.95 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file82.156.161.35 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file20.197.231.178 | NjRAT botnet C2 server (confidence level: 100%) | |
file144.208.127.144 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
file5.42.76.85 | Mirai botnet C2 server (confidence level: 75%) | |
file45.66.230.22 | Ave Maria botnet C2 server (confidence level: 100%) | |
file45.66.230.22 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file79.110.62.189 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file193.26.115.167 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file193.26.115.167 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file193.26.115.167 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file124.223.62.233 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.16.38.41 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.241.208.114 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.241.208.203 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file4.151.131.10 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file185.16.38.41 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.81.157.21 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file209.145.56.0 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file185.241.208.42 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.241.208.42 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file5.42.65.15 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file193.27.72.137 | NjRAT botnet C2 server (confidence level: 100%) | |
file38.180.78.177 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file87.239.108.174 | Sliver botnet C2 server (confidence level: 50%) | |
file87.239.108.174 | Sliver botnet C2 server (confidence level: 50%) | |
file216.128.141.126 | Unknown malware botnet C2 server (confidence level: 50%) | |
file151.236.8.237 | BianLian botnet C2 server (confidence level: 50%) | |
file178.128.111.190 | Havoc botnet C2 server (confidence level: 50%) | |
file20.19.1.146 | Havoc botnet C2 server (confidence level: 50%) | |
file194.182.78.107 | Havoc botnet C2 server (confidence level: 50%) | |
file167.235.149.241 | Responder botnet C2 server (confidence level: 50%) | |
file44.212.57.147 | Responder botnet C2 server (confidence level: 50%) | |
file179.13.2.154 | DCRat botnet C2 server (confidence level: 50%) | |
file193.42.36.101 | IcedID botnet C2 server (confidence level: 75%) | |
file75.60.22.100 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file162.14.98.165 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.137.102.137 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file114.116.15.43 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Hash
Value | Description | Copy |
---|---|---|
hash4449 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash4e1196b694ec1391ed1874e10f30b2f909a05b9c76828089d2c2aeed5527b687 | IRATA payload (confidence level: 100%) | |
hash5a736b914a1119389bd94142c013ff5c | IRATA payload (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash100 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash10000 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9999 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash10001 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9090 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1018 | NjRAT botnet C2 server (confidence level: 100%) | |
hash443 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
hash60195 | Mirai botnet C2 server (confidence level: 75%) | |
hash5200 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash30305 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2035 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash5555 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2404 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash2023 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2404 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash57 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash4444 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2266 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash46324 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash1177 | NjRAT botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash2323 | DCRat botnet C2 server (confidence level: 50%) | |
hash80 | IcedID botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Domain
Value | Description | Copy |
---|---|---|
domainnmbvcxzasedrt.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainsahame.symen.ir | IRATA botnet C2 domain (confidence level: 100%) | |
domainsymen.ir | IRATA botnet C2 domain (confidence level: 100%) | |
domainadl-vq.vizvaz.com | IRATA payload delivery domain (confidence level: 100%) | |
domainmynameisnull.site | IRATA botnet C2 domain (confidence level: 100%) | |
domaingta-fportal.com | IRATA botnet C2 domain (confidence level: 100%) | |
domainplawers.com | Pikabot payload delivery domain (confidence level: 100%) | |
domaind2d756ulnohqjs.cloudfront.net | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainupcls.online | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainhelloone.accountants.monster | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainacornservices.org | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainpbfenergy.azurewebsites.net | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaind2cpd93ebiah9g.cloudfront.net | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-n0tf95ic-1305872204.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwsexdrcftgyy191.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainfgudhiiugiufgifufgihdhuidfxgd.duckdns.org | Nanocore RAT botnet C2 domain (confidence level: 100%) | |
domaincache.thorjane.com | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Url
Value | Description | Copy |
---|---|---|
urlhttps://nmbvcxzasedrt.com/vvmd54/ | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://nmbvcxzasedrt.com/lander/chrome_1695206714/_index.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://fgkdfkfddxzy.xyz | Alien botnet C2 (confidence level: 80%) | |
urlhttps://nmbvcxzasedrt.com/zgbn19mx | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://fablane.com/cdn-js/minlen.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://fablane.com/cdn/qzwewmrqqgqnaww.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://residencialcasabrasileira.com/111.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://legalny.com.pl/comments.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://haroldmoscotelora09.con-ip.com:1995 | Remcos botnet C2 (confidence level: 100%) | |
urlhttp://terlevisor23.con-ip.com:1883 | Remcos botnet C2 (confidence level: 100%) | |
urlhttp://claudiabetancurlora09.con-ip.com:1995 | Remcos botnet C2 (confidence level: 100%) | |
urlhttp://vanidad.con-ip.com:7770 | Remcos botnet C2 (confidence level: 100%) | |
urlhttp://artificialleath.fun/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://noisemakjelly.fun/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://adl-vq.vizvaz.com/saham.apk | IRATA payload delivery URL (confidence level: 100%) | |
urlhttps://mynameisnull.site/config/-1001228456341 | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://mynameisnull.site/api/-1001228456341 | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://mynameisnull.site/api/ | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://mynameisnull.site/config/ | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://gta-fportal.com/game/?e=73661 | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://gta-fportal.com/game | IRATA botnet C2 (confidence level: 100%) | |
urlhttps://gta-fportal.com | IRATA botnet C2 (confidence level: 100%) | |
urlhttp://weaselplacerif.fun/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://plawers.com/toa/ | Pikabot payload delivery URL (confidence level: 100%) | |
urlhttp://146.56.118.82:443/witi | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://5.101.0.245/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://5.101.0.241/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://5.101.0.245/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://5.101.0.241/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.94.130.42:88/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://81.161.229.129/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://20.237.62.65:4444/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.207.27.79:8080/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://123.249.115.56:8083/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://d2d756ulnohqjs.cloudfront.net/jdbc.htm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.70.141.123/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://122.9.136.39:7777/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://121.4.50.245:8010/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.12.60.132:5555/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.220.224.87:5555/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://175.178.150.86/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.222.149.52:4444/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.13.21:9998/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.71.130.71/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://165.22.225.110/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://103.146.158.207/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://211.149.146.23:10443/api/getit | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.152.64.178:8086/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://116.205.189.199:6666/jd/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://upcls.online/c/msdownload/update/others/2020/10/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://79.110.62.156/c/msdownload/update/others/2020/10/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://81.71.68.50:8099/search/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://51.250.16.184/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://119.23.52.84:3333/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://72.44.69.115:8001/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://152.136.116.44:8032/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://117.72.35.30:2222/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://185.162.235.241/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.138.235.42/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://helloone.accountants.monster:8443/index.jsp | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.9.93.128/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.70.206:8888/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.140.199.163:8090/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://60.204.171.143/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.13.21:9999/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://82.156.4.204/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://acornservices.org/ex4600.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://39.107.233.55/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.134.154.168:6666/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.130.121.136:8888/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.140.198.4/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.223.62.233/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.46.91.89:4444/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://118.31.34.136:9988/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://123.60.140.76:8000/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://pbfenergy.azurewebsites.net/api/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://106.75.214.55/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://82.156.136.99:8087/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.6.15.130:9090/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.74.25.100:7777/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://119.45.188.119:8443/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://116.205.241.185:50000/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.235.42/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://82.157.154.247/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://119.23.229.180:8090/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://firefox.org.cn:8443/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.220.180.112:84/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://d2cpd93ebiah9g.cloudfront.net/jdbc.htm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.222.149.52:9999/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://121.4.154.20:81/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://82.156.161.35/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://120.25.167.104/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://wsexdrcftgyy191.com/vvmd54/ | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://wsexdrcftgyy191.com/zgbn19mx | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://wsexdrcftgyy191.com/lander/chrome_1695206714/_index.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://firmpanacewa.fun/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://1.117.79.251:88/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://119.23.52.84:8000/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.42.101.185:8008/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-n0tf95ic-1305872204.gz.apigw.tencentcs.com/bootstrap-5.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.117.79.251:1234/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://lewispublishing.org/comments.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://local.silly-beer.com/comments.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://manfredfohringer.de/comments.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://markadsrad.ru.is/comments.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://185.225.75.242/download/xmrig.x86_64 | Cpuminer botnet C2 (confidence level: 75%) | |
urlhttp://npskudlu.com/cllip.exe | Lumma Stealer payload delivery URL (confidence level: 50%) | |
urlhttp://begonblom.fun/api | Lumma Stealer botnet C2 (confidence level: 50%) | |
urlhttp://60.204.202.16:9090/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://110.42.192.76/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://thuspulllig.fun/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://45.15.156.141/ | RecordBreaker botnet C2 (confidence level: 100%) | |
urlhttp://192.168.0.199/c/msdownload/update/others/2016/12/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://162.14.98.165/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://8.137.102.137/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) |
Threat ID: 68359c9d5d5f0974d01f5ed0
Added to database: 5/27/2025, 11:06:05 AM
Last enriched: 7/5/2025, 11:12:12 PM
Last updated: 8/5/2025, 11:36:36 AM
Views: 11
Related Threats
ThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
Medium'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.