ThreatFox IOCs for 2023-10-15
ThreatFox IOCs for 2023-10-15
AI Analysis
Technical Summary
The provided information pertains to a malware-related threat identified as "ThreatFox IOCs for 2023-10-15," sourced from ThreatFox, an OSINT (Open Source Intelligence) platform. The threat is categorized under malware but lacks detailed technical indicators such as specific malware family names, attack vectors, affected software versions, or exploit mechanisms. The absence of concrete indicators of compromise (IOCs) and technical specifics limits the ability to perform a deep technical dissection. However, the threat is tagged as 'type:osint' and 'tlp:white,' indicating that the information is openly shareable and derived from open-source intelligence. The threat level is rated as 2 (on an unspecified scale), with analysis and distribution scores of 1 and 3 respectively, suggesting moderate dissemination but limited analytical depth. No known exploits in the wild have been reported, and there are no patches or mitigations linked to this threat. The lack of CWE identifiers and affected product versions further constrains detailed technical assessment. Overall, this appears to be a collection or update of IOCs related to malware activity as of October 15, 2023, intended for situational awareness rather than an active, high-impact exploit campaign.
Potential Impact
Given the limited technical details and absence of known active exploits, the immediate impact on European organizations is likely to be low to medium. The threat represents potential malware activity that could be used in targeted or opportunistic attacks, but without specific exploitation methods or affected software, the risk remains generalized. European organizations relying on OSINT feeds like ThreatFox for threat intelligence could benefit from early detection of emerging malware trends. However, the lack of actionable IOCs or exploit details means that direct operational impact, such as data breaches, service disruptions, or integrity compromises, is currently minimal. The medium severity rating suggests a need for vigilance but not immediate crisis response. Organizations in sectors with high exposure to malware threats, such as finance, critical infrastructure, and government, should monitor updates closely to anticipate any evolution of this threat.
Mitigation Recommendations
1. Integrate ThreatFox and similar OSINT feeds into existing Security Information and Event Management (SIEM) systems to enhance early detection capabilities. 2. Maintain up-to-date endpoint protection solutions capable of heuristic and behavior-based malware detection, as specific signatures are not yet available. 3. Conduct regular threat hunting exercises focusing on anomalous activities that may correlate with emerging malware patterns reported in OSINT. 4. Enhance user awareness training emphasizing cautious handling of unsolicited files and links, given the general nature of malware threats. 5. Establish robust incident response procedures that can quickly adapt to new intelligence as more detailed IOCs become available. 6. Collaborate with national and European cybersecurity centers (e.g., ENISA) to share and receive timely threat intelligence updates. These steps go beyond generic advice by emphasizing integration of OSINT feeds, proactive threat hunting, and inter-organizational collaboration tailored to the evolving nature of malware threats without specific signatures.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium
Indicators of Compromise
- url: http://funnyorgos.site/api
- file: 94.156.6.228
- hash: 43021
- url: http://89.47.1.10/autdolorem.php
- url: http://89.47.1.10/news.php
- hash: 4023d96589970420857763ffa1f1fd0eb79668344e095f9e81f851e479e776cc
- hash: 0faa8438b97ba137f50e7b05f40c32ff51cb100655dd472908200cbd6db5f648
- hash: 9688528dbaf75125004db4392eef3a26774f3b41eebfd88092075f1c7357ea36
- url: http://89.47.1.10/eaipsa.php
- url: http://89.47.1.10/bin/omegle.php
- file: 93.95.230.215
- hash: 31337
- file: 93.95.230.215
- hash: 8888
- file: 112.29.177.254
- hash: 10036
- file: 20.106.112.43
- hash: 80
- file: 52.24.78.22
- hash: 445
- file: 41.99.119.32
- hash: 443
- file: 105.108.43.99
- hash: 995
- file: 77.126.191.61
- hash: 443
- file: 189.176.47.195
- hash: 443
- file: 174.164.68.180
- hash: 443
- file: 194.36.177.94
- hash: 9999
- file: 107.172.43.167
- hash: 8888
- url: http://85.209.11.199/b9djs2g/index.php
- url: http://119.91.207.9:8089/cm
- domain: ns1.downsexv.com
- domain: nc1.downsexv.com
- file: 146.56.118.82
- hash: 53
- domain: casc.polytechit.org
- file: 45.125.67.27
- hash: 53
- domain: ns1.jieinchangan.cn
- domain: ns2.jieinchangan.cn
- file: 206.237.1.241
- hash: 53
- domain: dc.sunsetwxllc.com
- file: 38.54.45.144
- hash: 53
- domain: a.verbinding-voor-cobalt.nl
- file: 85.10.151.25
- hash: 53
- url: http://217.196.96.16/155736047db03637.php
- url: http://92.63.196.46:8092/ie9compatviewlist.xml
- url: https://120.24.38.217:4433/dot.gif
- url: https://165.227.141.64:4433/cm
- url: http://service-gw6u6362-1318524606.gz.apigw.tencentcs.com/api/x
- domain: service-gw6u6362-1318524606.gz.apigw.tencentcs.com
- url: http://139.9.135.250:20002/en_us/all.js
- url: http://165.227.141.64/pixel
- url: http://clearmu.top/blacknet/receive.php
- url: https://43.135.22.17:4443/dot.gif
- url: https://62.234.53.167/jquery-3.3.1.min.js
- file: 62.234.53.167
- hash: 443
- url: http://www.consumershop.lenovo.com.cn.d4e97cc6.cdnhwcggk22.com/oscp/
- domain: www.consumershop.lenovo.com.cn.d4e97cc6.cdnhwcggk22.com
- url: http://service-00o1njdx-1317238936.sh.apigw.tencentcs.com/api/x
- domain: service-00o1njdx-1317238936.sh.apigw.tencentcs.com
- url: http://124.70.82.142/ptj
- url: https://124.70.82.142/cm
- url: https://www.micorsoft.pro:8443/fd/ls/lsp.aspx
- domain: www.micorsoft.pro
- url: http://114.132.56.147/introduction/edr
- file: 114.132.56.147
- hash: 80
- url: https://service-euf0eusq-1317136909.gz.apigw.tencentcs.com/api/x
- domain: service-euf0eusq-1317136909.gz.apigw.tencentcs.com
- url: http://101.42.22.120/dpixel
- url: https://www.iii-service.com/jquery-3.3.1.min.js
- domain: www.iii-service.com
- file: 103.15.29.41
- hash: 443
- url: http://118.24.128.43:8888/api/x
- url: http://114.116.49.242/en_us/all.js
- url: http://43.139.107.237:10001/ga.js
- url: http://47.94.221.227/dpixel
- url: https://downsexv.com:8443/api/3
- file: 146.56.118.82
- hash: 8443
- url: http://43.136.14.250:8080/ie9compatviewlist.xml
- url: http://www.edittns.com/jquery-3.3.1.min.js
- domain: www.edittns.com
- file: 134.122.160.187
- hash: 80
- url: http://139.224.188.139/activity
- url: http://175.178.99.133:5555/visit.js
- url: https://193.37.69.48/_/scs/mail-static/_/js/
- file: 167.179.99.125
- hash: 443
- url: https://39.100.83.53/api/x
- url: http://193.37.69.48/_/scs/mail-static/_/js/
- url: http://43.139.79.52:7777/activity
- url: http://service-iord9vog-1317136909.gz.apigw.tencentcs.com/ca
- domain: service-iord9vog-1317136909.gz.apigw.tencentcs.com
- url: http://101.43.142.116:8087/ptj
- url: https://52.66.17.82:9443/jquery-3.3.1.min.js
- url: http://132.145.126.111/updates.rss
- url: http://8.130.64.49/__utm.gif
- url: http://175.178.247.232/pixel.gif
- url: https://comeonlogistics.com/def/reklama/x6alr835bblb
- domain: comeonlogistics.com
- file: 66.42.81.78
- hash: 443
- url: http://47.107.67.137:81/j.ad
- url: http://198.211.5.240:8087/ptj
- url: http://bismillahsolutions.com/__utm.gif
- domain: bismillahsolutions.com
- url: http://1.12.231.99/en_us/all.js
- file: 198.52.97.143
- hash: 8082
- file: 27.124.47.147
- hash: 8088
- file: 134.122.132.52
- hash: 8082
- file: 172.247.35.240
- hash: 8082
- url: http://43.138.215.2:8081/visit.js
- url: https://cins.hin7lostvas.pro:2083/boxes.css
- file: 167.179.99.125
- hash: 2083
- file: 146.59.161.13
- hash: 39199
- url: http://willywilk.fun/api
- domain: nzul13-3-23.duckdns.org
- domain: nzul13-3-23.duckdns.org
- domain: 1.tcp.sa.ngrok.io
- domain: discord-gg.duckdns.org
- domain: discord-gg.duckdns.org
- domain: updater-discord.duckdns.org
- domain: estreno1-caso.duckdns.org
- domain: discord-gg.duckdns.org
- domain: discord-gg.duckdns.org
- file: 193.42.32.99
- hash: 80
- file: 77.91.78.245
- hash: 80
- file: 91.103.253.2
- hash: 80
- file: 91.212.166.50
- hash: 80
- file: 45.155.250.218
- hash: 80
- file: 94.228.169.55
- hash: 80
- file: 194.169.175.126
- hash: 80
- file: 171.22.28.221
- hash: 80
- file: 91.103.252.146
- hash: 80
- file: 142.132.186.212
- hash: 80
- file: 167.235.136.41
- hash: 80
- file: 85.209.11.51
- hash: 80
- file: 65.21.150.74
- hash: 80
- file: 91.212.166.95
- hash: 80
- file: 77.83.92.234
- hash: 80
- file: 45.9.74.92
- hash: 80
- file: 185.244.48.221
- hash: 80
- file: 5.42.6.7
- hash: 80
- file: 45.15.157.135
- hash: 80
- file: 194.59.31.66
- hash: 80
- file: 5.78.104.95
- hash: 80
- file: 94.228.170.65
- hash: 80
- file: 95.214.25.241
- hash: 80
- file: 193.201.8.110
- hash: 80
- file: 91.107.224.80
- hash: 80
- file: 89.23.98.151
- hash: 80
- file: 62.113.115.22
- hash: 80
- file: 116.203.55.91
- hash: 80
- file: 152.89.198.3
- hash: 80
- file: 45.9.74.92
- hash: 80
- file: 217.196.96.138
- hash: 80
- file: 185.244.48.81
- hash: 80
- file: 45.147.197.114
- hash: 80
- file: 5.161.188.133
- hash: 80
- file: 185.254.37.234
- hash: 80
- file: 80.92.206.215
- hash: 80
- file: 78.47.166.143
- hash: 80
- file: 185.209.161.53
- hash: 80
- file: 78.135.73.160
- hash: 443
- file: 146.70.125.68
- hash: 443
- file: 146.70.157.224
- hash: 443
- file: 78.135.73.148
- hash: 443
- file: 146.70.40.228
- hash: 443
- file: 91.206.178.106
- hash: 443
- file: 146.70.86.140
- hash: 443
- file: 146.70.104.173
- hash: 443
- file: 194.169.175.232
- hash: 5200
- url: http://membaers.fun/api
- url: https://85.175.101.203/cm
- file: 45.86.163.114
- hash: 8443
- file: 78.47.171.102
- hash: 6264
- url: https://47.103.106.214/cm
- url: http://92.63.196.46:8092/pixel
- url: https://8.134.85.39/load
- file: 93.95.229.192
- hash: 443
- file: 93.95.229.192
- hash: 8888
- file: 93.95.229.192
- hash: 31337
- file: 104.218.54.245
- hash: 7443
- url: http://165.227.141.64/dot.gif
- file: 217.78.49.245
- hash: 443
- file: 2.91.187.238
- hash: 443
- file: 91.180.67.255
- hash: 2222
- file: 216.118.230.114
- hash: 63342
- domain: ns1.ga0.co
- domain: ns2.ga0.co
- domain: ns3.ga0.co
- file: 118.195.162.65
- hash: 53
- url: https://208.64.224.190/en_us/all.js
- file: 208.64.224.190
- hash: 443
- url: https://8.140.245.246/load
- file: 8.140.245.246
- hash: 443
- url: https://golds-touch.com/show/redirect/vvgplutb6i
- domain: golds-touch.com
- file: 84.32.131.8
- hash: 443
- url: https://47.93.34.203/j.ad
- file: 47.93.34.203
- hash: 443
- file: 116.203.156.63
- hash: 28564
- file: 65.109.241.130
- hash: 8443
ThreatFox IOCs for 2023-10-15
Description
ThreatFox IOCs for 2023-10-15
AI-Powered Analysis
Technical Analysis
The provided information pertains to a malware-related threat identified as "ThreatFox IOCs for 2023-10-15," sourced from ThreatFox, an OSINT (Open Source Intelligence) platform. The threat is categorized under malware but lacks detailed technical indicators such as specific malware family names, attack vectors, affected software versions, or exploit mechanisms. The absence of concrete indicators of compromise (IOCs) and technical specifics limits the ability to perform a deep technical dissection. However, the threat is tagged as 'type:osint' and 'tlp:white,' indicating that the information is openly shareable and derived from open-source intelligence. The threat level is rated as 2 (on an unspecified scale), with analysis and distribution scores of 1 and 3 respectively, suggesting moderate dissemination but limited analytical depth. No known exploits in the wild have been reported, and there are no patches or mitigations linked to this threat. The lack of CWE identifiers and affected product versions further constrains detailed technical assessment. Overall, this appears to be a collection or update of IOCs related to malware activity as of October 15, 2023, intended for situational awareness rather than an active, high-impact exploit campaign.
Potential Impact
Given the limited technical details and absence of known active exploits, the immediate impact on European organizations is likely to be low to medium. The threat represents potential malware activity that could be used in targeted or opportunistic attacks, but without specific exploitation methods or affected software, the risk remains generalized. European organizations relying on OSINT feeds like ThreatFox for threat intelligence could benefit from early detection of emerging malware trends. However, the lack of actionable IOCs or exploit details means that direct operational impact, such as data breaches, service disruptions, or integrity compromises, is currently minimal. The medium severity rating suggests a need for vigilance but not immediate crisis response. Organizations in sectors with high exposure to malware threats, such as finance, critical infrastructure, and government, should monitor updates closely to anticipate any evolution of this threat.
Mitigation Recommendations
1. Integrate ThreatFox and similar OSINT feeds into existing Security Information and Event Management (SIEM) systems to enhance early detection capabilities. 2. Maintain up-to-date endpoint protection solutions capable of heuristic and behavior-based malware detection, as specific signatures are not yet available. 3. Conduct regular threat hunting exercises focusing on anomalous activities that may correlate with emerging malware patterns reported in OSINT. 4. Enhance user awareness training emphasizing cautious handling of unsolicited files and links, given the general nature of malware threats. 5. Establish robust incident response procedures that can quickly adapt to new intelligence as more detailed IOCs become available. 6. Collaborate with national and European cybersecurity centers (e.g., ENISA) to share and receive timely threat intelligence updates. These steps go beyond generic advice by emphasizing integration of OSINT feeds, proactive threat hunting, and inter-organizational collaboration tailored to the evolving nature of malware threats without specific signatures.
Affected Countries
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- eda97085-5918-43a9-8d6a-7214a840024e
- Original Timestamp
- 1697414586
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://funnyorgos.site/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://89.47.1.10/autdolorem.php | Agent Tesla botnet C2 (confidence level: 100%) | |
urlhttp://89.47.1.10/news.php | Agent Tesla botnet C2 (confidence level: 100%) | |
urlhttp://89.47.1.10/eaipsa.php | Agent Tesla botnet C2 (confidence level: 100%) | |
urlhttp://89.47.1.10/bin/omegle.php | Agent Tesla botnet C2 (confidence level: 100%) | |
urlhttp://85.209.11.199/b9djs2g/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://119.91.207.9:8089/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://217.196.96.16/155736047db03637.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://92.63.196.46:8092/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://120.24.38.217:4433/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://165.227.141.64:4433/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-gw6u6362-1318524606.gz.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.9.135.250:20002/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://165.227.141.64/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://clearmu.top/blacknet/receive.php | BlackNET RAT botnet C2 (confidence level: 100%) | |
urlhttps://43.135.22.17:4443/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://62.234.53.167/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://www.consumershop.lenovo.com.cn.d4e97cc6.cdnhwcggk22.com/oscp/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-00o1njdx-1317238936.sh.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.70.82.142/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.70.82.142/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://www.micorsoft.pro:8443/fd/ls/lsp.aspx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://114.132.56.147/introduction/edr | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-euf0eusq-1317136909.gz.apigw.tencentcs.com/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.42.22.120/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://www.iii-service.com/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://118.24.128.43:8888/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://114.116.49.242/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.139.107.237:10001/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.94.221.227/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://downsexv.com:8443/api/3 | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.136.14.250:8080/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://www.edittns.com/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.224.188.139/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://175.178.99.133:5555/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://193.37.69.48/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://39.100.83.53/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://193.37.69.48/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.139.79.52:7777/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-iord9vog-1317136909.gz.apigw.tencentcs.com/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.43.142.116:8087/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://52.66.17.82:9443/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://132.145.126.111/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.130.64.49/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://175.178.247.232/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://comeonlogistics.com/def/reklama/x6alr835bblb | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.107.67.137:81/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://198.211.5.240:8087/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://bismillahsolutions.com/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.12.231.99/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.138.215.2:8081/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://cins.hin7lostvas.pro:2083/boxes.css | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://willywilk.fun/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://membaers.fun/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://85.175.101.203/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.103.106.214/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://92.63.196.46:8092/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://8.134.85.39/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://165.227.141.64/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://208.64.224.190/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://8.140.245.246/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://golds-touch.com/show/redirect/vvgplutb6i | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.93.34.203/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file94.156.6.228 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file93.95.230.215 | Sliver botnet C2 server (confidence level: 50%) | |
file93.95.230.215 | Sliver botnet C2 server (confidence level: 50%) | |
file112.29.177.254 | Deimos botnet C2 server (confidence level: 50%) | |
file20.106.112.43 | Responder botnet C2 server (confidence level: 50%) | |
file52.24.78.22 | Responder botnet C2 server (confidence level: 50%) | |
file41.99.119.32 | QakBot botnet C2 server (confidence level: 50%) | |
file105.108.43.99 | QakBot botnet C2 server (confidence level: 50%) | |
file77.126.191.61 | QakBot botnet C2 server (confidence level: 50%) | |
file189.176.47.195 | QakBot botnet C2 server (confidence level: 50%) | |
file174.164.68.180 | QakBot botnet C2 server (confidence level: 50%) | |
file194.36.177.94 | DCRat botnet C2 server (confidence level: 50%) | |
file107.172.43.167 | Unknown malware botnet C2 server (confidence level: 50%) | |
file146.56.118.82 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.125.67.27 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file206.237.1.241 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file38.54.45.144 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file85.10.151.25 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file62.234.53.167 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file114.132.56.147 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.15.29.41 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file146.56.118.82 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file134.122.160.187 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file167.179.99.125 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file66.42.81.78 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file198.52.97.143 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
file27.124.47.147 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
file134.122.132.52 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
file172.247.35.240 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
file167.179.99.125 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file146.59.161.13 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file193.42.32.99 | Stealc botnet C2 server (confidence level: 75%) | |
file77.91.78.245 | Stealc botnet C2 server (confidence level: 75%) | |
file91.103.253.2 | Stealc botnet C2 server (confidence level: 75%) | |
file91.212.166.50 | Stealc botnet C2 server (confidence level: 75%) | |
file45.155.250.218 | Stealc botnet C2 server (confidence level: 75%) | |
file94.228.169.55 | Stealc botnet C2 server (confidence level: 75%) | |
file194.169.175.126 | Stealc botnet C2 server (confidence level: 75%) | |
file171.22.28.221 | Stealc botnet C2 server (confidence level: 75%) | |
file91.103.252.146 | Stealc botnet C2 server (confidence level: 75%) | |
file142.132.186.212 | Stealc botnet C2 server (confidence level: 75%) | |
file167.235.136.41 | Stealc botnet C2 server (confidence level: 75%) | |
file85.209.11.51 | Stealc botnet C2 server (confidence level: 75%) | |
file65.21.150.74 | Stealc botnet C2 server (confidence level: 75%) | |
file91.212.166.95 | Stealc botnet C2 server (confidence level: 75%) | |
file77.83.92.234 | Stealc botnet C2 server (confidence level: 75%) | |
file45.9.74.92 | Stealc botnet C2 server (confidence level: 75%) | |
file185.244.48.221 | Stealc botnet C2 server (confidence level: 75%) | |
file5.42.6.7 | Stealc botnet C2 server (confidence level: 75%) | |
file45.15.157.135 | Stealc botnet C2 server (confidence level: 75%) | |
file194.59.31.66 | Stealc botnet C2 server (confidence level: 75%) | |
file5.78.104.95 | Stealc botnet C2 server (confidence level: 75%) | |
file94.228.170.65 | Stealc botnet C2 server (confidence level: 75%) | |
file95.214.25.241 | Stealc botnet C2 server (confidence level: 75%) | |
file193.201.8.110 | Stealc botnet C2 server (confidence level: 75%) | |
file91.107.224.80 | Stealc botnet C2 server (confidence level: 75%) | |
file89.23.98.151 | Stealc botnet C2 server (confidence level: 75%) | |
file62.113.115.22 | Stealc botnet C2 server (confidence level: 75%) | |
file116.203.55.91 | Stealc botnet C2 server (confidence level: 75%) | |
file152.89.198.3 | Stealc botnet C2 server (confidence level: 75%) | |
file45.9.74.92 | Stealc botnet C2 server (confidence level: 75%) | |
file217.196.96.138 | Stealc botnet C2 server (confidence level: 75%) | |
file185.244.48.81 | Stealc botnet C2 server (confidence level: 75%) | |
file45.147.197.114 | Stealc botnet C2 server (confidence level: 75%) | |
file5.161.188.133 | Stealc botnet C2 server (confidence level: 75%) | |
file185.254.37.234 | Stealc botnet C2 server (confidence level: 75%) | |
file80.92.206.215 | Stealc botnet C2 server (confidence level: 75%) | |
file78.47.166.143 | Stealc botnet C2 server (confidence level: 75%) | |
file185.209.161.53 | Stealc botnet C2 server (confidence level: 75%) | |
file78.135.73.160 | solarmarker botnet C2 server (confidence level: 75%) | |
file146.70.125.68 | solarmarker botnet C2 server (confidence level: 75%) | |
file146.70.157.224 | solarmarker botnet C2 server (confidence level: 75%) | |
file78.135.73.148 | solarmarker botnet C2 server (confidence level: 75%) | |
file146.70.40.228 | solarmarker botnet C2 server (confidence level: 75%) | |
file91.206.178.106 | solarmarker botnet C2 server (confidence level: 75%) | |
file146.70.86.140 | solarmarker botnet C2 server (confidence level: 75%) | |
file146.70.104.173 | solarmarker botnet C2 server (confidence level: 75%) | |
file194.169.175.232 | Ave Maria botnet C2 server (confidence level: 100%) | |
file45.86.163.114 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file78.47.171.102 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file93.95.229.192 | Sliver botnet C2 server (confidence level: 50%) | |
file93.95.229.192 | Sliver botnet C2 server (confidence level: 50%) | |
file93.95.229.192 | Sliver botnet C2 server (confidence level: 50%) | |
file104.218.54.245 | Unknown malware botnet C2 server (confidence level: 50%) | |
file217.78.49.245 | QakBot botnet C2 server (confidence level: 50%) | |
file2.91.187.238 | QakBot botnet C2 server (confidence level: 50%) | |
file91.180.67.255 | QakBot botnet C2 server (confidence level: 50%) | |
file216.118.230.114 | Unknown malware botnet C2 server (confidence level: 50%) | |
file118.195.162.65 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file208.64.224.190 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.140.245.246 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file84.32.131.8 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.93.34.203 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file116.203.156.63 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file65.109.241.130 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash43021 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash4023d96589970420857763ffa1f1fd0eb79668344e095f9e81f851e479e776cc | Agent Tesla payload (confidence level: 50%) | |
hash0faa8438b97ba137f50e7b05f40c32ff51cb100655dd472908200cbd6db5f648 | Agent Tesla payload (confidence level: 50%) | |
hash9688528dbaf75125004db4392eef3a26774f3b41eebfd88092075f1c7357ea36 | Agent Tesla payload (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash8888 | Sliver botnet C2 server (confidence level: 50%) | |
hash10036 | Deimos botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash995 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash9999 | DCRat botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8082 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
hash8088 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
hash8082 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
hash8082 | VBREVSHELL botnet C2 server (confidence level: 50%) | |
hash2083 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash39199 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash443 | solarmarker botnet C2 server (confidence level: 75%) | |
hash5200 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash8443 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash6264 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 50%) | |
hash8888 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash2222 | QakBot botnet C2 server (confidence level: 50%) | |
hash63342 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash28564 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash8443 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainns1.downsexv.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainnc1.downsexv.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincasc.polytechit.org | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns1.jieinchangan.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns2.jieinchangan.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaindc.sunsetwxllc.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaina.verbinding-voor-cobalt.nl | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-gw6u6362-1318524606.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.consumershop.lenovo.com.cn.d4e97cc6.cdnhwcggk22.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-00o1njdx-1317238936.sh.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.micorsoft.pro | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-euf0eusq-1317136909.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.iii-service.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.edittns.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-iord9vog-1317136909.gz.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincomeonlogistics.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainbismillahsolutions.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainnzul13-3-23.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domainnzul13-3-23.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domain1.tcp.sa.ngrok.io | NjRAT botnet C2 domain (confidence level: 100%) | |
domaindiscord-gg.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domaindiscord-gg.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domainupdater-discord.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domainestreno1-caso.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domaindiscord-gg.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domaindiscord-gg.duckdns.org | NjRAT botnet C2 domain (confidence level: 100%) | |
domainns1.ga0.co | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns2.ga0.co | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns3.ga0.co | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaingolds-touch.com | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Threat ID: 682c7abfe3e6de8ceb75f350
Added to database: 5/20/2025, 12:51:11 PM
Last enriched: 6/19/2025, 1:20:21 PM
Last updated: 1/19/2026, 12:12:38 PM
Views: 42
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’
MediumVoidLink threat analysis: C2-compiled kernel rootkits discovered
MediumTargeted espionage leveraging geopolitical themes
MediumDecember 2025 Infostealer Trend Report
MediumOperation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.