ThreatFox IOCs for 2023-10-15
ThreatFox IOCs for 2023-10-15
AI Analysis
Technical Summary
The provided information pertains to a malware-related threat identified as "ThreatFox IOCs for 2023-10-15," sourced from ThreatFox, an OSINT (Open Source Intelligence) platform. The threat is categorized under malware but lacks detailed technical indicators such as specific malware family names, attack vectors, affected software versions, or exploit mechanisms. The absence of concrete indicators of compromise (IOCs) and technical specifics limits the ability to perform a deep technical dissection. However, the threat is tagged as 'type:osint' and 'tlp:white,' indicating that the information is openly shareable and derived from open-source intelligence. The threat level is rated as 2 (on an unspecified scale), with analysis and distribution scores of 1 and 3 respectively, suggesting moderate dissemination but limited analytical depth. No known exploits in the wild have been reported, and there are no patches or mitigations linked to this threat. The lack of CWE identifiers and affected product versions further constrains detailed technical assessment. Overall, this appears to be a collection or update of IOCs related to malware activity as of October 15, 2023, intended for situational awareness rather than an active, high-impact exploit campaign.
Potential Impact
Given the limited technical details and absence of known active exploits, the immediate impact on European organizations is likely to be low to medium. The threat represents potential malware activity that could be used in targeted or opportunistic attacks, but without specific exploitation methods or affected software, the risk remains generalized. European organizations relying on OSINT feeds like ThreatFox for threat intelligence could benefit from early detection of emerging malware trends. However, the lack of actionable IOCs or exploit details means that direct operational impact, such as data breaches, service disruptions, or integrity compromises, is currently minimal. The medium severity rating suggests a need for vigilance but not immediate crisis response. Organizations in sectors with high exposure to malware threats, such as finance, critical infrastructure, and government, should monitor updates closely to anticipate any evolution of this threat.
Mitigation Recommendations
1. Integrate ThreatFox and similar OSINT feeds into existing Security Information and Event Management (SIEM) systems to enhance early detection capabilities. 2. Maintain up-to-date endpoint protection solutions capable of heuristic and behavior-based malware detection, as specific signatures are not yet available. 3. Conduct regular threat hunting exercises focusing on anomalous activities that may correlate with emerging malware patterns reported in OSINT. 4. Enhance user awareness training emphasizing cautious handling of unsolicited files and links, given the general nature of malware threats. 5. Establish robust incident response procedures that can quickly adapt to new intelligence as more detailed IOCs become available. 6. Collaborate with national and European cybersecurity centers (e.g., ENISA) to share and receive timely threat intelligence updates. These steps go beyond generic advice by emphasizing integration of OSINT feeds, proactive threat hunting, and inter-organizational collaboration tailored to the evolving nature of malware threats without specific signatures.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium
Indicators of Compromise
- url: http://funnyorgos.site/api
- file: 94.156.6.228
- hash: 43021
- url: http://89.47.1.10/autdolorem.php
- url: http://89.47.1.10/news.php
- hash: 4023d96589970420857763ffa1f1fd0eb79668344e095f9e81f851e479e776cc
- hash: 0faa8438b97ba137f50e7b05f40c32ff51cb100655dd472908200cbd6db5f648
- hash: 9688528dbaf75125004db4392eef3a26774f3b41eebfd88092075f1c7357ea36
- url: http://89.47.1.10/eaipsa.php
- url: http://89.47.1.10/bin/omegle.php
- file: 93.95.230.215
- hash: 31337
- file: 93.95.230.215
- hash: 8888
- file: 112.29.177.254
- hash: 10036
- file: 20.106.112.43
- hash: 80
- file: 52.24.78.22
- hash: 445
- file: 41.99.119.32
- hash: 443
- file: 105.108.43.99
- hash: 995
- file: 77.126.191.61
- hash: 443
- file: 189.176.47.195
- hash: 443
- file: 174.164.68.180
- hash: 443
- file: 194.36.177.94
- hash: 9999
- file: 107.172.43.167
- hash: 8888
- url: http://85.209.11.199/b9djs2g/index.php
- url: http://119.91.207.9:8089/cm
- domain: ns1.downsexv.com
- domain: nc1.downsexv.com
- file: 146.56.118.82
- hash: 53
- domain: casc.polytechit.org
- file: 45.125.67.27
- hash: 53
- domain: ns1.jieinchangan.cn
- domain: ns2.jieinchangan.cn
- file: 206.237.1.241
- hash: 53
- domain: dc.sunsetwxllc.com
- file: 38.54.45.144
- hash: 53
- domain: a.verbinding-voor-cobalt.nl
- file: 85.10.151.25
- hash: 53
- url: http://217.196.96.16/155736047db03637.php
- url: http://92.63.196.46:8092/ie9compatviewlist.xml
- url: https://120.24.38.217:4433/dot.gif
- url: https://165.227.141.64:4433/cm
- url: http://service-gw6u6362-1318524606.gz.apigw.tencentcs.com/api/x
- domain: service-gw6u6362-1318524606.gz.apigw.tencentcs.com
- url: http://139.9.135.250:20002/en_us/all.js
- url: http://165.227.141.64/pixel
- url: http://clearmu.top/blacknet/receive.php
- url: https://43.135.22.17:4443/dot.gif
- url: https://62.234.53.167/jquery-3.3.1.min.js
- file: 62.234.53.167
- hash: 443
- url: http://www.consumershop.lenovo.com.cn.d4e97cc6.cdnhwcggk22.com/oscp/
- domain: www.consumershop.lenovo.com.cn.d4e97cc6.cdnhwcggk22.com
- url: http://service-00o1njdx-1317238936.sh.apigw.tencentcs.com/api/x
- domain: service-00o1njdx-1317238936.sh.apigw.tencentcs.com
- url: http://124.70.82.142/ptj
- url: https://124.70.82.142/cm
- url: https://www.micorsoft.pro:8443/fd/ls/lsp.aspx
- domain: www.micorsoft.pro
- url: http://114.132.56.147/introduction/edr
- file: 114.132.56.147
- hash: 80
- url: https://service-euf0eusq-1317136909.gz.apigw.tencentcs.com/api/x
- domain: service-euf0eusq-1317136909.gz.apigw.tencentcs.com
- url: http://101.42.22.120/dpixel
- url: https://www.iii-service.com/jquery-3.3.1.min.js
- domain: www.iii-service.com
- file: 103.15.29.41
- hash: 443
- url: http://118.24.128.43:8888/api/x
- url: http://114.116.49.242/en_us/all.js
- url: http://43.139.107.237:10001/ga.js
- url: http://47.94.221.227/dpixel
- url: https://downsexv.com:8443/api/3
- file: 146.56.118.82
- hash: 8443
- url: http://43.136.14.250:8080/ie9compatviewlist.xml
- url: http://www.edittns.com/jquery-3.3.1.min.js
- domain: www.edittns.com
- file: 134.122.160.187
- hash: 80
- url: http://139.224.188.139/activity
- url: http://175.178.99.133:5555/visit.js
- url: https://193.37.69.48/_/scs/mail-static/_/js/
- file: 167.179.99.125
- hash: 443
- url: https://39.100.83.53/api/x
- url: http://193.37.69.48/_/scs/mail-static/_/js/
- url: http://43.139.79.52:7777/activity
- url: http://service-iord9vog-1317136909.gz.apigw.tencentcs.com/ca
- domain: service-iord9vog-1317136909.gz.apigw.tencentcs.com
- url: http://101.43.142.116:8087/ptj
- url: https://52.66.17.82:9443/jquery-3.3.1.min.js
- url: http://132.145.126.111/updates.rss
- url: http://8.130.64.49/__utm.gif
- url: http://175.178.247.232/pixel.gif
- url: https://comeonlogistics.com/def/reklama/x6alr835bblb
- domain: comeonlogistics.com
- file: 66.42.81.78
- hash: 443
- url: http://47.107.67.137:81/j.ad
- url: http://198.211.5.240:8087/ptj
- url: http://bismillahsolutions.com/__utm.gif
- domain: bismillahsolutions.com
- url: http://1.12.231.99/en_us/all.js
- file: 198.52.97.143
- hash: 8082
- file: 27.124.47.147
- hash: 8088
- file: 134.122.132.52
- hash: 8082
- file: 172.247.35.240
- hash: 8082
- url: http://43.138.215.2:8081/visit.js
- url: https://cins.hin7lostvas.pro:2083/boxes.css
- file: 167.179.99.125
- hash: 2083
- file: 146.59.161.13
- hash: 39199
- url: http://willywilk.fun/api
- domain: nzul13-3-23.duckdns.org
- domain: nzul13-3-23.duckdns.org
- domain: 1.tcp.sa.ngrok.io
- domain: discord-gg.duckdns.org
- domain: discord-gg.duckdns.org
- domain: updater-discord.duckdns.org
- domain: estreno1-caso.duckdns.org
- domain: discord-gg.duckdns.org
- domain: discord-gg.duckdns.org
- file: 193.42.32.99
- hash: 80
- file: 77.91.78.245
- hash: 80
- file: 91.103.253.2
- hash: 80
- file: 91.212.166.50
- hash: 80
- file: 45.155.250.218
- hash: 80
- file: 94.228.169.55
- hash: 80
- file: 194.169.175.126
- hash: 80
- file: 171.22.28.221
- hash: 80
- file: 91.103.252.146
- hash: 80
- file: 142.132.186.212
- hash: 80
- file: 167.235.136.41
- hash: 80
- file: 85.209.11.51
- hash: 80
- file: 65.21.150.74
- hash: 80
- file: 91.212.166.95
- hash: 80
- file: 77.83.92.234
- hash: 80
- file: 45.9.74.92
- hash: 80
- file: 185.244.48.221
- hash: 80
- file: 5.42.6.7
- hash: 80
- file: 45.15.157.135
- hash: 80
- file: 194.59.31.66
- hash: 80
- file: 5.78.104.95
- hash: 80
- file: 94.228.170.65
- hash: 80
- file: 95.214.25.241
- hash: 80
- file: 193.201.8.110
- hash: 80
- file: 91.107.224.80
- hash: 80
- file: 89.23.98.151
- hash: 80
- file: 62.113.115.22
- hash: 80
- file: 116.203.55.91
- hash: 80
- file: 152.89.198.3
- hash: 80
- file: 45.9.74.92
- hash: 80
- file: 217.196.96.138
- hash: 80
- file: 185.244.48.81
- hash: 80
- file: 45.147.197.114
- hash: 80
- file: 5.161.188.133
- hash: 80
- file: 185.254.37.234
- hash: 80
- file: 80.92.206.215
- hash: 80
- file: 78.47.166.143
- hash: 80
- file: 185.209.161.53
- hash: 80
- file: 78.135.73.160
- hash: 443
- file: 146.70.125.68
- hash: 443
- file: 146.70.157.224
- hash: 443
- file: 78.135.73.148
- hash: 443
- file: 146.70.40.228
- hash: 443
- file: 91.206.178.106
- hash: 443
- file: 146.70.86.140
- hash: 443
- file: 146.70.104.173
- hash: 443
- file: 194.169.175.232
- hash: 5200
- url: http://membaers.fun/api
- url: https://85.175.101.203/cm
- file: 45.86.163.114
- hash: 8443
- file: 78.47.171.102
- hash: 6264
- url: https://47.103.106.214/cm
- url: http://92.63.196.46:8092/pixel
- url: https://8.134.85.39/load
- file: 93.95.229.192
- hash: 443
- file: 93.95.229.192
- hash: 8888
- file: 93.95.229.192
- hash: 31337
- file: 104.218.54.245
- hash: 7443
- url: http://165.227.141.64/dot.gif
- file: 217.78.49.245
- hash: 443
- file: 2.91.187.238
- hash: 443
- file: 91.180.67.255
- hash: 2222
- file: 216.118.230.114
- hash: 63342
- domain: ns1.ga0.co
- domain: ns2.ga0.co
- domain: ns3.ga0.co
- file: 118.195.162.65
- hash: 53
- url: https://208.64.224.190/en_us/all.js
- file: 208.64.224.190
- hash: 443
- url: https://8.140.245.246/load
- file: 8.140.245.246
- hash: 443
- url: https://golds-touch.com/show/redirect/vvgplutb6i
- domain: golds-touch.com
- file: 84.32.131.8
- hash: 443
- url: https://47.93.34.203/j.ad
- file: 47.93.34.203
- hash: 443
- file: 116.203.156.63
- hash: 28564
- file: 65.109.241.130
- hash: 8443
ThreatFox IOCs for 2023-10-15
Description
ThreatFox IOCs for 2023-10-15
AI-Powered Analysis
Technical Analysis
The provided information pertains to a malware-related threat identified as "ThreatFox IOCs for 2023-10-15," sourced from ThreatFox, an OSINT (Open Source Intelligence) platform. The threat is categorized under malware but lacks detailed technical indicators such as specific malware family names, attack vectors, affected software versions, or exploit mechanisms. The absence of concrete indicators of compromise (IOCs) and technical specifics limits the ability to perform a deep technical dissection. However, the threat is tagged as 'type:osint' and 'tlp:white,' indicating that the information is openly shareable and derived from open-source intelligence. The threat level is rated as 2 (on an unspecified scale), with analysis and distribution scores of 1 and 3 respectively, suggesting moderate dissemination but limited analytical depth. No known exploits in the wild have been reported, and there are no patches or mitigations linked to this threat. The lack of CWE identifiers and affected product versions further constrains detailed technical assessment. Overall, this appears to be a collection or update of IOCs related to malware activity as of October 15, 2023, intended for situational awareness rather than an active, high-impact exploit campaign.
Potential Impact
Given the limited technical details and absence of known active exploits, the immediate impact on European organizations is likely to be low to medium. The threat represents potential malware activity that could be used in targeted or opportunistic attacks, but without specific exploitation methods or affected software, the risk remains generalized. European organizations relying on OSINT feeds like ThreatFox for threat intelligence could benefit from early detection of emerging malware trends. However, the lack of actionable IOCs or exploit details means that direct operational impact, such as data breaches, service disruptions, or integrity compromises, is currently minimal. The medium severity rating suggests a need for vigilance but not immediate crisis response. Organizations in sectors with high exposure to malware threats, such as finance, critical infrastructure, and government, should monitor updates closely to anticipate any evolution of this threat.
Mitigation Recommendations
1. Integrate ThreatFox and similar OSINT feeds into existing Security Information and Event Management (SIEM) systems to enhance early detection capabilities. 2. Maintain up-to-date endpoint protection solutions capable of heuristic and behavior-based malware detection, as specific signatures are not yet available. 3. Conduct regular threat hunting exercises focusing on anomalous activities that may correlate with emerging malware patterns reported in OSINT. 4. Enhance user awareness training emphasizing cautious handling of unsolicited files and links, given the general nature of malware threats. 5. Establish robust incident response procedures that can quickly adapt to new intelligence as more detailed IOCs become available. 6. Collaborate with national and European cybersecurity centers (e.g., ENISA) to share and receive timely threat intelligence updates. These steps go beyond generic advice by emphasizing integration of OSINT feeds, proactive threat hunting, and inter-organizational collaboration tailored to the evolving nature of malware threats without specific signatures.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- eda97085-5918-43a9-8d6a-7214a840024e
- Original Timestamp
- 1697414586
Indicators of Compromise
Url
Value | Description | Copy |
---|---|---|
urlhttp://funnyorgos.site/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://89.47.1.10/autdolorem.php | Agent Tesla botnet C2 (confidence level: 100%) | |
urlhttp://89.47.1.10/news.php | Agent Tesla botnet C2 (confidence level: 100%) | |
urlhttp://89.47.1.10/eaipsa.php | Agent Tesla botnet C2 (confidence level: 100%) | |
urlhttp://89.47.1.10/bin/omegle.php | Agent Tesla botnet C2 (confidence level: 100%) | |
urlhttp://85.209.11.199/b9djs2g/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://119.91.207.9:8089/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://217.196.96.16/155736047db03637.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://92.63.196.46:8092/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://120.24.38.217:4433/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://165.227.141.64:4433/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-gw6u6362-1318524606.gz.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.9.135.250:20002/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://165.227.141.64/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://clearmu.top/blacknet/receive.php | BlackNET RAT botnet C2 (confidence level: 100%) | |
urlhttps://43.135.22.17:4443/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://62.234.53.167/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://www.consumershop.lenovo.com.cn.d4e97cc6.cdnhwcggk22.com/oscp/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-00o1njdx-1317238936.sh.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.70.82.142/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.70.82.142/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://www.micorsoft.pro:8443/fd/ls/lsp.aspx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://114.132.56.147/introduction/edr | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-euf0eusq-1317136909.gz.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.42.22.120/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://www.iii-service.com/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://118.24.128.43:8888/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://114.116.49.242/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.139.107.237:10001/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.94.221.227/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://downsexv.com:8443/api/3 | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.136.14.250:8080/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://www.edittns.com/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.224.188.139/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://175.178.99.133:5555/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://193.37.69.48/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://39.100.83.53/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://193.37.69.48/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.139.79.52:7777/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-iord9vog-1317136909.gz.apigw.tencentcs.com/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.142.116:8087/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://52.66.17.82:9443/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://132.145.126.111/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.130.64.49/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://175.178.247.232/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://comeonlogistics.com/def/reklama/x6alr835bblb | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.107.67.137:81/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://198.211.5.240:8087/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://bismillahsolutions.com/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.12.231.99/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.215.2:8081/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://cins.hin7lostvas.pro:2083/boxes.css | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://willywilk.fun/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://membaers.fun/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://85.175.101.203/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.103.106.214/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://92.63.196.46:8092/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://8.134.85.39/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://165.227.141.64/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://208.64.224.190/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://8.140.245.246/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://golds-touch.com/show/redirect/vvgplutb6i | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.93.34.203/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) |
File
Value | Description | Copy |
---|---|---|
file94.156.6.228 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file93.95.230.215 | Sliver botnet C2 server (confidence level: 50%) | |
file93.95.230.215 | Sliver botnet C2 server (confidence level: 50%) | |
file112.29.177.254 | Deimos botnet C2 server (confidence level: 50%) | |
file20.106.112.43 | Responder botnet C2 server (confidence level: 50%) | |
file52.24.78.22 | Responder botnet C2 server (confidence level: 50%) | |
file41.99.119.32 | QakBot botnet C2 server (confidence level: 50%) | |
file105.108.43.99 | QakBot botnet C2 server (confidence level: 50%) | |
file77.126.191.61 | QakBot botnet C2 server (confidence level: 50%) | |
file189.176.47.195 | QakBot botnet C2 server (confidence level: 50%) | |
file174.164.68.180 | QakBot botnet C2 server (confidence level: 50%) | |
file194.36.177.94 | DCRat botnet C2 server (confidence level: 50%) | |
file107.172.43.167 | Unknown malware botnet C2 server (confidence level: 50%) | |
file146.56.118.82 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.125.67.27 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file206.237.1.241 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file38.54.45.144 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file85.10.151.25 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file62.234.53.167 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file114.132.56.147 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.15.29.41 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file146.56.118.82 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file134.122.160.187 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file167.179.99.125 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file66.42.81.78 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file198.52.97.143 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
file27.124.47.147 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
file134.122.132.52 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
file172.247.35.240 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
file167.179.99.125 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file146.59.161.13 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file193.42.32.99 | Stealc botnet C2 server (confidence level: 75%) | |
file77.91.78.245 | Stealc botnet C2 server (confidence level: 75%) | |
file91.103.253.2 | Stealc botnet C2 server (confidence level: 75%) | |
file91.212.166.50 | Stealc botnet C2 server (confidence level: 75%) | |
file45.155.250.218 | Stealc botnet C2 server (confidence level: 75%) | |
file94.228.169.55 | Stealc botnet C2 server (confidence level: 75%) | |
file194.169.175.126 | Stealc botnet C2 server (confidence level: 75%) | |
file171.22.28.221 | Stealc botnet C2 server (confidence level: 75%) | |
file91.103.252.146 | Stealc botnet C2 server (confidence level: 75%) | |
file142.132.186.212 | Stealc botnet C2 server (confidence level: 75%) | |
file167.235.136.41 | Stealc botnet C2 server (confidence level: 75%) | |
file85.209.11.51 | Stealc botnet C2 server (confidence level: 75%) | |
file65.21.150.74 | Stealc botnet C2 server (confidence level: 75%) | |
file91.212.166.95 | Stealc botnet C2 server (confidence level: 75%) | |
file77.83.92.234 | Stealc botnet C2 server (confidence level: 75%) | |
file45.9.74.92 | Stealc botnet C2 server (confidence level: 75%) | |
file185.244.48.221 | Stealc botnet C2 server (confidence level: 75%) | |
file5.42.6.7 | Stealc botnet C2 server (confidence level: 75%) | |
file45.15.157.135 | Stealc botnet C2 server (confidence level: 75%) | |
file194.59.31.66 | Stealc botnet C2 server (confidence level: 75%) | |
file5.78.104.95 | Stealc botnet C2 server (confidence level: 75%) | |
file94.228.170.65 | Stealc botnet C2 server (confidence level: 75%) | |
file95.214.25.241 | Stealc botnet C2 server (confidence level: 75%) | |
file193.201.8.110 | Stealc botnet C2 server (confidence level: 75%) | |
file91.107.224.80 | Stealc botnet C2 server (confidence level: 75%) | |
file89.23.98.151 | Stealc botnet C2 server (confidence level: 75%) | |
file62.113.115.22 | Stealc botnet C2 server (confidence level: 75%) | |
file116.203.55.91 | Stealc botnet C2 server (confidence level: 75%) | |
file152.89.198.3 | Stealc botnet C2 server (confidence level: 75%) | |
file45.9.74.92 | Stealc botnet C2 server (confidence level: 75%) | |
file217.196.96.138 | Stealc botnet C2 server (confidence level: 75%) | |
file185.244.48.81 | Stealc botnet C2 server (confidence level: 75%) | |
file45.147.197.114 | Stealc botnet C2 server (confidence level: 75%) | |
file5.161.188.133 | Stealc botnet C2 server (confidence level: 75%) | |
file185.254.37.234 | Stealc botnet C2 server (confidence level: 75%) | |
file80.92.206.215 | Stealc botnet C2 server (confidence level: 75%) | |
file78.47.166.143 | Stealc botnet C2 server (confidence level: 75%) | |
file185.209.161.53 | Stealc botnet C2 server (confidence level: 75%) | |
file78.135.73.160 | solarmarker botnet C2 server (confidence level: 75%) | |
file146.70.125.68 | solarmarker botnet C2 server (confidence level: 75%) | |
file146.70.157.224 | solarmarker botnet C2 server (confidence level: 75%) | |
file78.135.73.148 | solarmarker botnet C2 server (confidence level: 75%) | |
file146.70.40.228 | solarmarker botnet C2 server (confidence level: 75%) | |
file91.206.178.106 | solarmarker botnet C2 server (confidence level: 75%) | |
file146.70.86.140 | solarmarker botnet C2 server (confidence level: 75%) | |
file146.70.104.173 | solarmarker botnet C2 server (confidence level: 75%) | |
file194.169.175.232 | Ave Maria botnet C2 server (confidence level: 100%) | |
file45.86.163.114 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file78.47.171.102 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file93.95.229.192 | Sliver botnet C2 server (confidence level: 50%) | |
file93.95.229.192 | Sliver botnet C2 server (confidence level: 50%) | |
file93.95.229.192 | Sliver botnet C2 server (confidence level: 50%) | |
file104.218.54.245 | Unknown malware botnet C2 server (confidence level: 50%) | |
file217.78.49.245 | QakBot botnet C2 server (confidence level: 50%) | |
file2.91.187.238 | QakBot botnet C2 server (confidence level: 50%) | |
file91.180.67.255 | QakBot botnet C2 server (confidence level: 50%) | |
file216.118.230.114 | Unknown malware botnet C2 server (confidence level: 50%) | |
file118.195.162.65 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file208.64.224.190 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.140.245.246 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file84.32.131.8 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.93.34.203 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file116.203.156.63 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file65.109.241.130 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Hash
Value | Description | Copy |
---|---|---|
hash43021 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash4023d96589970420857763ffa1f1fd0eb79668344e095f9e81f851e479e776cc | Agent Tesla payload (confidence level: 50%) | |
hash0faa8438b97ba137f50e7b05f40c32ff51cb100655dd472908200cbd6db5f648 | Agent Tesla payload (confidence level: 50%) | |
hash9688528dbaf75125004db4392eef3a26774f3b41eebfd88092075f1c7357ea36 | Agent Tesla payload (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash8888 | Sliver botnet C2 server (confidence level: 50%) | |
hash10036 | Deimos botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash995 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash9999 | DCRat botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8082 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
hash8088 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
hash8082 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
hash8082 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
hash2083 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash39199 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash5200 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash8443 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash6264 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 50%) | |
hash8888 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash2222 | QakBot botnet C2 server (confidence level: 50%) | |
hash63342 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash28564 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash8443 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Domain
Value | Description | Copy |
---|---|---|
domainns1.downsexv.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainnc1.downsexv.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincasc.polytechit.org | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns1.jieinchangan.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns2.jieinchangan.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaindc.sunsetwxllc.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaina.verbinding-voor-cobalt.nl | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-gw6u6362-1318524606.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.consumershop.lenovo.com.cn.d4e97cc6.cdnhwcggk22.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-00o1njdx-1317238936.sh.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.micorsoft.pro | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-euf0eusq-1317136909.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.iii-service.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.edittns.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-iord9vog-1317136909.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincomeonlogistics.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainbismillahsolutions.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainnzul13-3-23.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domainnzul13-3-23.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domain1.tcp.sa.ngrok.io | NjRAT botnet C2 domain (confidence level: 100%) | |
domaindiscord-gg.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domaindiscord-gg.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domainupdater-discord.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domainestreno1-caso.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domaindiscord-gg.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domaindiscord-gg.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domainns1.ga0.co | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns2.ga0.co | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns3.ga0.co | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaingolds-touch.com | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Threat ID: 682c7abfe3e6de8ceb75f350
Added to database: 5/20/2025, 12:51:11 PM
Last enriched: 6/19/2025, 1:20:21 PM
Last updated: 8/15/2025, 9:42:54 AM
Views: 12
Related Threats
ThreatFox IOCs for 2025-08-18
MediumFake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.