ThreatFox IOCs for 2023-12-21
Severity: mediumType: malware
ThreatFox IOCs for 2023-12-21
AI Analysis
Technical Summary
The provided information refers to a set of Indicators of Compromise (IOCs) published on December 21, 2023, by the ThreatFox MISP Feed. These IOCs are categorized under 'malware' with a focus on OSINT (Open Source Intelligence), network activity, and payload delivery. However, the data lacks specific details about the malware family, attack vectors, affected software versions, or technical exploitation methods. No known exploits in the wild or patches are available, and no Common Weakness Enumerations (CWEs) are listed. The threat level is indicated as low to medium (threatLevel 2), with some distribution noted (distribution 3) but minimal analysis depth (analysis 1). The absence of concrete technical indicators or payload descriptions suggests this is a preliminary or generic IOC set intended for situational awareness rather than an active, targeted threat campaign. The 'tlp:white' tag indicates the information is freely shareable without restriction. Overall, this represents a moderate-level malware-related threat focusing on network activity and payload delivery, but without detailed exploitation or impact specifics.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the lack of detailed exploitation information and absence of known active exploits. However, the presence of IOCs related to malware and payload delivery implies potential risks of infection through network vectors, which could lead to unauthorized access, data exfiltration, or service disruption if exploited. Organizations relying on OSINT tools or monitoring network traffic for threat intelligence may find these IOCs useful for detection and prevention. The medium severity suggests a moderate risk that could escalate if further details or active exploitation emerge. European entities with critical infrastructure or sensitive data could face confidentiality and availability risks if the malware payloads are successfully delivered and executed.
Mitigation Recommendations
Given the limited technical details, European organizations should enhance their network monitoring capabilities to detect unusual payload delivery attempts and network activity patterns. Integrating these IOCs into existing Security Information and Event Management (SIEM) systems and threat intelligence platforms can improve detection accuracy. Regularly updating and tuning intrusion detection/prevention systems (IDS/IPS) to recognize emerging malware signatures is recommended. Organizations should also conduct threat hunting exercises focusing on network traffic anomalies and payload delivery mechanisms. Since no patches are available, emphasis should be placed on network segmentation, strict access controls, and user awareness training to reduce the attack surface. Collaboration with national Computer Security Incident Response Teams (CSIRTs) and sharing intelligence within European cybersecurity communities will help in early identification and response.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
Indicators of Compromise
- url: http://creepfleetconfusew.fun/api
- domain: getfnewsolutions.com
- domain: bluenetworking.net
- domain: erihudeg.com
- file: 171.5.184.236
- hash: 3790
- file: 54.39.105.235
- hash: 10001
- file: 77.105.132.87
- hash: 22221
- file: 15.207.21.242
- hash: 3790
- url: http://moscow-post.ru/blogggg/blogger.php
- url: http://962855cm.nyashtech.top/datalifetemp.php
- url: http://bombertublestylebanws.fun/api
- file: 121.37.82.36
- hash: 8834
- file: 13.232.180.80
- hash: 3790
- file: 94.131.107.198
- hash: 8443
- file: 139.84.147.34
- hash: 443
- file: 91.92.250.227
- hash: 443
- file: 13.38.219.27
- hash: 443
- file: 69.164.199.179
- hash: 8443
- file: 13.213.218.169
- hash: 45923
- file: 76.84.73.88
- hash: 445
- file: 138.197.68.179
- hash: 445
- file: 95.215.108.41
- hash: 2222
- file: 24.241.8.84
- hash: 443
- url: https://194.26.135.67/mtq4mmuxodbhmtvi/
- file: 216.83.58.190
- hash: 8888
- file: 109.123.227.167
- hash: 5938
- file: 3.127.138.57
- hash: 12460
- file: 18.157.68.73
- hash: 12460
- file: 18.192.93.86
- hash: 12460
- file: 194.147.140.222
- hash: 2025
- url: http://82.146.37.188/cdnmulti/linepollsqldlecdn.php
- file: 13.126.178.6
- hash: 3790
- file: 104.21.88.185
- hash: 2096
- domain: mail.googlesmail.xyz
- url: http://zekhost.000webhostapp.com/396833e4.php
- url: https://95.216.178.71/
- file: 95.216.178.71
- hash: 443
- file: 87.107.164.199
- hash: 3790
- file: 194.26.29.153
- hash: 15648
- domain: adavanced-ip-scaner.com
- domain: adavanced-ip-scanner.com
- domain: adevancd-lp-scanner.com
- domain: adevanced-ip-scans.com
- domain: adevanced-lp-scaners.com
- domain: adevanced-lp-scanner.net
- domain: adevanced-lp-scanners.com
- domain: adsvancd-lp-scanner.net
- domain: adsvanced-ip-scanner.com
- domain: advancd-ip-scanner.com
- domain: advancd-ip-scanner.net
- domain: advancd-lp-scanner.net
- domain: advanced-ip-scan.net
- domain: advanced-ip-scanned.com
- domain: advanced-ip-scanning.com
- domain: advanced-ip-scanning.net
- domain: advanced-ipscan.com
- domain: advanced-ipscanning.com
- domain: advanced-lp-scan.com
- domain: advanced-lp-scaners.com
- domain: advanced-lp-scaners.net
- domain: advanced-lp-scanned.com
- domain: advanced-lp-scanned.net
- domain: advanced-lp-scanner.com
- domain: advanced-lp-scanners.com
- domain: advanced-port-scanner.net
- domain: advancede-ip-scanner.com
- domain: advancedes-ip-scan.com
- domain: advancedes-ip-scan.net
- domain: advancedes-ip-scanner.com
- domain: advancedes-ip-scanner.net
- domain: advancedes-lp-scan.net
- domain: advancedes-lp-scanner.com
- domain: advancedes-lp-scanner.net
- domain: advancedip-scanner.net
- domain: advancedlpscanner.com
- domain: advanceds-ip-scan.net
- domain: advanceds-ip-scanner.net
- domain: advanceds-lp-scanner.net
- domain: advnced-ip-scan.com
- domain: advnced-ip-scanner.com
- domain: advnced-lp-scanner.com
- domain: inductiveautomatlon.com
- domain: inductiveoutomation.com
- domain: inductlveautomation.com
- domain: mycaase.com
- domain: mycaase.net
- domain: oldsfaq.com
- domain: technorobo-life.com
- file: 185.11.61.65
- hash: 443
- url: http://1.15.189.30/__utm.gif
- file: 1.15.189.30
- hash: 80
- url: http://213.109.202.219/ca
- url: https://82.157.78.234/updates.rss
- file: 82.157.78.234
- hash: 443
- url: https://service-lqsfxdz9-1307700818.sh.tencentapigw.com/geqeqwea.js
- domain: service-lqsfxdz9-1307700818.sh.tencentapigw.com
- url: https://138.197.178.187/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- file: 138.197.178.187
- hash: 443
- url: http://103.164.49.148/g.pixel
- file: 103.164.49.148
- hash: 80
- url: https://qw.regsvcast.com/hr
- domain: qw.regsvcast.com
- url: https://as.regsvcast.com/hr
- domain: as.regsvcast.com
- url: https://zx.regsvcast.com/hr
- domain: zx.regsvcast.com
- file: 147.78.47.178
- hash: 443
- file: 144.91.113.0
- hash: 13721
- file: 172.232.172.228
- hash: 2221
- file: 172.232.7.224
- hash: 9785
- file: 172.232.172.171
- hash: 13721
- file: 109.123.227.166
- hash: 5938
- url: https://paldiengineering.com/8wjmd9n/0.5687043298865158.dat
- url: https://israrliaqat.com/6wx4/0.844468240812589.dat
- url: https://grehlingerssealcoating.com/3hidbt/0.6552612703498036.dat
- url: https://saeedalkarmi.com/at2ja9/0.6508004520633979.dat
- url: https://gofly.id/p9g/0.9681228263349928.dat
- url: https://holyrosaryinternational.com/n1h3/0.5119460133828262.dat
- file: 101.201.224.75
- hash: 2333
- file: 13.233.98.101
- hash: 3790
- file: 5.42.65.31
- hash: 48396
- file: 185.225.69.33
- hash: 443
- url: http://193.3.19.247/pl.exe
- url: http://193.3.19.247/sl.exe
- file: 185.172.128.33
- hash: 35875
- file: 45.67.231.4
- hash: 80
- file: 79.110.52.39
- hash: 80
- file: 2.56.212.247
- hash: 80
- file: 5.75.178.55
- hash: 3790
- url: http://103.114.107.28/l1010/
- url: http://103.114.107.28/l1212/
- url: http://103.114.107.28/l1414/
- url: http://103.114.107.28/l1616/
- url: http://103.114.107.28/l1919/
- url: http://103.114.107.28/l2121/
- url: http://103.114.107.28/l22/
- url: http://103.114.107.28/l2323/
- url: http://103.114.107.28/l24/
- url: http://103.114.107.28/l25/
- url: http://103.114.107.28/l2626/
- url: http://103.114.107.28/l27/
- url: http://103.114.107.28/l2828/
- url: http://103.114.107.28/l29/
- url: http://103.114.107.28/l3030/
- url: http://103.114.107.28/l3131/
- url: http://103.114.107.28/l32/
- url: http://103.114.107.28/l33/
- url: http://103.114.107.28/l34/
- url: http://103.114.107.28/l35/
- url: http://103.114.107.28/l36/
- url: http://103.114.107.28/l37/
- url: http://103.114.107.28/l38/
- url: http://103.114.107.28/l39/
- url: http://103.114.107.28/l404/
- url: http://103.114.107.28/l4040/
- url: http://103.114.107.28/l606/
- url: http://103.114.107.28/l808/
- url: http://2.56.57.108/osk/
- url: http://2.56.59.226/www/
- url: http://37.0.11.237/nn/
- url: http://64.188.21.227/x/
- url: http://9enternecera.ru.com/os/
- url: http://adwa2tv.com/new/
- url: http://aegismd.ca/cgi/
- url: http://b1xz.duckdns.org/b11/
- url: http://b1xz.duckdns.org/b24/
- url: http://b1xz.duckdns.org/b27/
- url: http://b1xz.duckdns.org/b40/
- url: http://b1xz.duckdns.org/b505/
- url: http://de4mon-p4nel.site/oski/
- url: http://elsantos.co/sa/
- url: http://gilvantur.com/site/bot/
- url: http://ipc-nena.net/oski/
- url: http://itskuba.com/1g
- url: http://marbellacabs.com/hao/
- url: http://mcharglaw.com/cgi/
- url: http://mmcjo.com/crown/
- url: http://no1geekfun.com/surce/a/
- url: http://pplonline.org/cgi/
- url: http://rgjeweller.mu/oski/
- url: http://smarteyecare.in/assets/fonts/static/
- url: http://soitaab.co/make/
- url: http://sunwindz.in.net/su/
- url: http://trafficbadassery.com/a/
- url: http://tunqyuindia.com/mar3/
- url: http://web24host.com/a/a/www/
- url: http://zenginler.online/oski/
- file: 172.232.189.141
- hash: 2078
- file: 5.180.151.194
- hash: 5631
- file: 154.38.185.136
- hash: 5243
- file: 5.180.151.180
- hash: 2224
- file: 172.234.224.202
- hash: 13785
- file: 109.123.227.170
- hash: 5632
- file: 109.123.227.147
- hash: 5243
- file: 85.239.237.153
- hash: 5632
- file: 154.38.164.50
- hash: 5243
- file: 109.123.227.174
- hash: 23399
- domain: withclier.com
- url: http://8.141.13.130:8001/system/role/list
- url: http://45.136.14.51/activity
- url: http://165.3.113.96/jquery-3.3.1.min.js
- file: 164.155.212.249
- hash: 80
- url: http://91.92.252.228/vlenath
- url: http://8.140.147.193/ie9compatviewlist.xml
- url: http://164.155.212.249:8087/jquery-3.3.1.min.js
- url: http://115.159.112.155/dpixel
- url: http://85.209.11.236/broadcast
- file: 109.123.227.158
- hash: 2223
- url: http://195.20.16.45/api/firegate.php
- url: http://195.20.16.45/api/firepro.php
- url: http://111.229.163.225/pixel.gif
- file: 198.251.89.101
- hash: 443
- file: 45.142.182.103
- hash: 4426
- file: 193.233.132.72
- hash: 36295
- file: 158.160.58.164
- hash: 443
- file: 198.98.48.31
- hash: 8099
- file: 185.172.128.33
- hash: 38294
- file: 167.114.115.246
- hash: 8080
- file: 47.100.126.235
- hash: 7443
- file: 198.13.36.52
- hash: 8443
- file: 193.233.203.168
- hash: 443
- file: 91.92.253.137
- hash: 443
- file: 31.222.238.48
- hash: 443
- file: 101.37.23.56
- hash: 8888
- file: 121.37.208.133
- hash: 8888
- file: 154.8.162.103
- hash: 8888
- file: 103.185.249.231
- hash: 18080
- file: 185.196.9.234
- hash: 443
- file: 106.52.244.189
- hash: 81
- url: http://47.109.102.98/match
- file: 83.10.50.193
- hash: 80
- domain: ns1.dns-supports.online
- domain: ns2.dns-supports.online
- file: 45.8.158.71
- hash: 53
- file: 91.92.248.33
- hash: 4782
- file: 27.124.3.19
- hash: 6606
- file: 165.3.113.96
- hash: 443
- file: 103.143.248.179
- hash: 81
- file: 165.3.113.96
- hash: 80
- file: 193.29.13.220
- hash: 8090
- file: 139.155.153.109
- hash: 5555
- url: https://cdn-014.epsonupdate.uk/j.ad
- domain: cdn-014.epsonupdate.uk
ThreatFox IOCs for 2023-12-21
Medium
Published: Thu Dec 21 2023 (12/21/2023, 00:00:00 UTC)
Source: ThreatFox MISP Feed
Vendor/Project: type
Product: osint
Description
ThreatFox IOCs for 2023-12-21
AI-Powered Analysis
AILast updated: 07/05/2025, 23:10:22 UTC
Technical Analysis
The provided information refers to a set of Indicators of Compromise (IOCs) published on December 21, 2023, by the ThreatFox MISP Feed. These IOCs are categorized under 'malware' with a focus on OSINT (Open Source Intelligence), network activity, and payload delivery. However, the data lacks specific details about the malware family, attack vectors, affected software versions, or technical exploitation methods. No known exploits in the wild or patches are available, and no Common Weakness Enumerations (CWEs) are listed. The threat level is indicated as low to medium (threatLevel 2), with some distribution noted (distribution 3) but minimal analysis depth (analysis 1). The absence of concrete technical indicators or payload descriptions suggests this is a preliminary or generic IOC set intended for situational awareness rather than an active, targeted threat campaign. The 'tlp:white' tag indicates the information is freely shareable without restriction. Overall, this represents a moderate-level malware-related threat focusing on network activity and payload delivery, but without detailed exploitation or impact specifics.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the lack of detailed exploitation information and absence of known active exploits. However, the presence of IOCs related to malware and payload delivery implies potential risks of infection through network vectors, which could lead to unauthorized access, data exfiltration, or service disruption if exploited. Organizations relying on OSINT tools or monitoring network traffic for threat intelligence may find these IOCs useful for detection and prevention. The medium severity suggests a moderate risk that could escalate if further details or active exploitation emerge. European entities with critical infrastructure or sensitive data could face confidentiality and availability risks if the malware payloads are successfully delivered and executed.
Mitigation Recommendations
Given the limited technical details, European organizations should enhance their network monitoring capabilities to detect unusual payload delivery attempts and network activity patterns. Integrating these IOCs into existing Security Information and Event Management (SIEM) systems and threat intelligence platforms can improve detection accuracy. Regularly updating and tuning intrusion detection/prevention systems (IDS/IPS) to recognize emerging malware signatures is recommended. Organizations should also conduct threat hunting exercises focusing on network traffic anomalies and payload delivery mechanisms. Since no patches are available, emphasis should be placed on network segmentation, strict access controls, and user awareness training to reduce the attack surface. Collaboration with national Computer Security Incident Response Teams (CSIRTs) and sharing intelligence within European cybersecurity communities will help in early identification and response.
Affected Countries
Need more detailed analysis?Get Pro
Pro Feature
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- fdfc8459-5cb7-4523-91be-aa61a1aa9791
- Original Timestamp
- 1703203387
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://creepfleetconfusew.fun/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://moscow-post.ru/blogggg/blogger.php | Mars Stealer botnet C2 (confidence level: 100%) | |
urlhttp://962855cm.nyashtech.top/datalifetemp.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://bombertublestylebanws.fun/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://194.26.135.67/mtq4mmuxodbhmtvi/ | Coper botnet C2 (confidence level: 80%) | |
urlhttp://82.146.37.188/cdnmulti/linepollsqldlecdn.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://zekhost.000webhostapp.com/396833e4.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://95.216.178.71/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://1.15.189.30/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://213.109.202.219/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://82.157.78.234/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-lqsfxdz9-1307700818.sh.tencentapigw.com/geqeqwea.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://138.197.178.187/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://103.164.49.148/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://qw.regsvcast.com/hr | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://as.regsvcast.com/hr | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://zx.regsvcast.com/hr | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://paldiengineering.com/8wjmd9n/0.5687043298865158.dat | Pikabot payload delivery URL (confidence level: 100%) | |
urlhttps://israrliaqat.com/6wx4/0.844468240812589.dat | Pikabot payload delivery URL (confidence level: 100%) | |
urlhttps://grehlingerssealcoating.com/3hidbt/0.6552612703498036.dat | Pikabot payload delivery URL (confidence level: 100%) | |
urlhttps://saeedalkarmi.com/at2ja9/0.6508004520633979.dat | Pikabot payload delivery URL (confidence level: 100%) | |
urlhttps://gofly.id/p9g/0.9681228263349928.dat | Pikabot payload delivery URL (confidence level: 100%) | |
urlhttps://holyrosaryinternational.com/n1h3/0.5119460133828262.dat | Pikabot payload delivery URL (confidence level: 100%) | |
urlhttp://193.3.19.247/pl.exe | Phorpiex payload delivery URL (confidence level: 100%) | |
urlhttp://193.3.19.247/sl.exe | Phorpiex payload delivery URL (confidence level: 100%) | |
urlhttp://103.114.107.28/l1010/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l1212/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l1414/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l1616/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l1919/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l2121/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l22/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l2323/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l24/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l25/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l2626/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l27/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l2828/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l29/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l3030/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l3131/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l32/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l33/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l34/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l35/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l36/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l37/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l38/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l39/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l404/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l4040/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l606/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://103.114.107.28/l808/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://2.56.57.108/osk/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://2.56.59.226/www/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://37.0.11.237/nn/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://64.188.21.227/x/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://9enternecera.ru.com/os/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://adwa2tv.com/new/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://aegismd.ca/cgi/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://b1xz.duckdns.org/b11/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://b1xz.duckdns.org/b24/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://b1xz.duckdns.org/b27/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://b1xz.duckdns.org/b40/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://b1xz.duckdns.org/b505/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://de4mon-p4nel.site/oski/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://elsantos.co/sa/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://gilvantur.com/site/bot/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://ipc-nena.net/oski/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://itskuba.com/1g | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://marbellacabs.com/hao/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://mcharglaw.com/cgi/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://mmcjo.com/crown/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://no1geekfun.com/surce/a/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://pplonline.org/cgi/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://rgjeweller.mu/oski/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://smarteyecare.in/assets/fonts/static/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://soitaab.co/make/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://sunwindz.in.net/su/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://trafficbadassery.com/a/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://tunqyuindia.com/mar3/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://web24host.com/a/a/www/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://zenginler.online/oski/ | Oski Stealer botnet C2 (confidence level: 100%) | |
urlhttp://8.141.13.130:8001/system/role/list | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://45.136.14.51/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://165.3.113.96/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://91.92.252.228/vlenath | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.140.147.193/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://164.155.212.249:8087/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://115.159.112.155/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://85.209.11.236/broadcast | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://195.20.16.45/api/firegate.php | PrivateLoader botnet C2 (confidence level: 100%) | |
urlhttp://195.20.16.45/api/firepro.php | PrivateLoader botnet C2 (confidence level: 100%) | |
urlhttp://111.229.163.225/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.109.102.98/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://cdn-014.epsonupdate.uk/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domaingetfnewsolutions.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainbluenetworking.net | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainerihudeg.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainmail.googlesmail.xyz | Cobalt Strike botnet C2 domain (confidence level: 50%) | |
domainadavanced-ip-scaner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadavanced-ip-scanner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadevancd-lp-scanner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadevanced-ip-scans.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadevanced-lp-scaners.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadevanced-lp-scanner.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadevanced-lp-scanners.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadsvancd-lp-scanner.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadsvanced-ip-scanner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancd-ip-scanner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancd-ip-scanner.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancd-lp-scanner.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-ip-scan.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-ip-scanned.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-ip-scanning.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-ip-scanning.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-ipscan.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-ipscanning.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-lp-scan.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-lp-scaners.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-lp-scaners.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-lp-scanned.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-lp-scanned.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-lp-scanner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-lp-scanners.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanced-port-scanner.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancede-ip-scanner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancedes-ip-scan.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancedes-ip-scan.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancedes-ip-scanner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancedes-ip-scanner.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancedes-lp-scan.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancedes-lp-scanner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancedes-lp-scanner.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancedip-scanner.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvancedlpscanner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanceds-ip-scan.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanceds-ip-scanner.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvanceds-lp-scanner.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvnced-ip-scan.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvnced-ip-scanner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainadvnced-lp-scanner.com | DanaBot payload delivery domain (confidence level: 75%) | |
domaininductiveautomatlon.com | DanaBot payload delivery domain (confidence level: 75%) | |
domaininductiveoutomation.com | DanaBot payload delivery domain (confidence level: 75%) | |
domaininductlveautomation.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainmycaase.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainmycaase.net | DanaBot payload delivery domain (confidence level: 75%) | |
domainoldsfaq.com | DanaBot payload delivery domain (confidence level: 75%) | |
domaintechnorobo-life.com | DanaBot payload delivery domain (confidence level: 75%) | |
domainservice-lqsfxdz9-1307700818.sh.tencentapigw.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainqw.regsvcast.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainas.regsvcast.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainzx.regsvcast.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwithclier.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns1.dns-supports.online | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns2.dns-supports.online | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincdn-014.epsonupdate.uk | Cobalt Strike botnet C2 domain (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file171.5.184.236 | Meterpreter botnet C2 server (confidence level: 80%) | |
file54.39.105.235 | Xtreme RAT botnet C2 server (confidence level: 80%) | |
file77.105.132.87 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file15.207.21.242 | Meterpreter botnet C2 server (confidence level: 80%) | |
file121.37.82.36 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file13.232.180.80 | Meterpreter botnet C2 server (confidence level: 80%) | |
file94.131.107.198 | BianLian botnet C2 server (confidence level: 50%) | |
file139.84.147.34 | Havoc botnet C2 server (confidence level: 50%) | |
file91.92.250.227 | Havoc botnet C2 server (confidence level: 50%) | |
file13.38.219.27 | Havoc botnet C2 server (confidence level: 50%) | |
file69.164.199.179 | Havoc botnet C2 server (confidence level: 50%) | |
file13.213.218.169 | Havoc botnet C2 server (confidence level: 50%) | |
file76.84.73.88 | Responder botnet C2 server (confidence level: 50%) | |
file138.197.68.179 | Responder botnet C2 server (confidence level: 50%) | |
file95.215.108.41 | QakBot botnet C2 server (confidence level: 50%) | |
file24.241.8.84 | QakBot botnet C2 server (confidence level: 50%) | |
file216.83.58.190 | Unknown malware botnet C2 server (confidence level: 50%) | |
file109.123.227.167 | Pikabot botnet C2 server (confidence level: 50%) | |
file3.127.138.57 | NjRAT botnet C2 server (confidence level: 100%) | |
file18.157.68.73 | NjRAT botnet C2 server (confidence level: 100%) | |
file18.192.93.86 | NjRAT botnet C2 server (confidence level: 100%) | |
file194.147.140.222 | Remcos botnet C2 server (confidence level: 100%) | |
file13.126.178.6 | Meterpreter botnet C2 server (confidence level: 80%) | |
file104.21.88.185 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file95.216.178.71 | Vidar botnet C2 server (confidence level: 100%) | |
file87.107.164.199 | Meterpreter botnet C2 server (confidence level: 80%) | |
file194.26.29.153 | SectopRAT botnet C2 server (confidence level: 100%) | |
file185.11.61.65 | DanaBot payload delivery server (confidence level: 75%) | |
file1.15.189.30 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file82.157.78.234 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file138.197.178.187 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.164.49.148 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file147.78.47.178 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file144.91.113.0 | Pikabot botnet C2 server (confidence level: 100%) | |
file172.232.172.228 | Pikabot botnet C2 server (confidence level: 100%) | |
file172.232.7.224 | Pikabot botnet C2 server (confidence level: 100%) | |
file172.232.172.171 | Pikabot botnet C2 server (confidence level: 100%) | |
file109.123.227.166 | Pikabot botnet C2 server (confidence level: 100%) | |
file101.201.224.75 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file13.233.98.101 | Meterpreter botnet C2 server (confidence level: 80%) | |
file5.42.65.31 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file185.225.69.33 | DanaBot botnet C2 server (confidence level: 100%) | |
file185.172.128.33 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file45.67.231.4 | Ficker Stealer botnet C2 server (confidence level: 100%) | |
file79.110.52.39 | Ficker Stealer botnet C2 server (confidence level: 100%) | |
file2.56.212.247 | Ficker Stealer botnet C2 server (confidence level: 100%) | |
file5.75.178.55 | Meterpreter botnet C2 server (confidence level: 80%) | |
file172.232.189.141 | Pikabot botnet C2 server (confidence level: 100%) | |
file5.180.151.194 | Pikabot botnet C2 server (confidence level: 100%) | |
file154.38.185.136 | Pikabot botnet C2 server (confidence level: 100%) | |
file5.180.151.180 | Pikabot botnet C2 server (confidence level: 100%) | |
file172.234.224.202 | Pikabot botnet C2 server (confidence level: 100%) | |
file109.123.227.170 | Pikabot botnet C2 server (confidence level: 100%) | |
file109.123.227.147 | Pikabot botnet C2 server (confidence level: 100%) | |
file85.239.237.153 | Pikabot botnet C2 server (confidence level: 100%) | |
file154.38.164.50 | Pikabot botnet C2 server (confidence level: 100%) | |
file109.123.227.174 | Pikabot botnet C2 server (confidence level: 100%) | |
file164.155.212.249 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file109.123.227.158 | Pikabot botnet C2 server (confidence level: 100%) | |
file198.251.89.101 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file45.142.182.103 | Mirai botnet C2 server (confidence level: 75%) | |
file193.233.132.72 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file158.160.58.164 | BumbleBee botnet C2 server (confidence level: 75%) | |
file198.98.48.31 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file185.172.128.33 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file167.114.115.246 | Sliver botnet C2 server (confidence level: 50%) | |
file47.100.126.235 | Unknown malware botnet C2 server (confidence level: 50%) | |
file198.13.36.52 | Havoc botnet C2 server (confidence level: 50%) | |
file193.233.203.168 | Havoc botnet C2 server (confidence level: 50%) | |
file91.92.253.137 | Havoc botnet C2 server (confidence level: 50%) | |
file31.222.238.48 | Havoc botnet C2 server (confidence level: 50%) | |
file101.37.23.56 | Unknown malware botnet C2 server (confidence level: 50%) | |
file121.37.208.133 | Unknown malware botnet C2 server (confidence level: 50%) | |
file154.8.162.103 | Unknown malware botnet C2 server (confidence level: 50%) | |
file103.185.249.231 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file185.196.9.234 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file106.52.244.189 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file83.10.50.193 | Unknown malware botnet C2 server (confidence level: 80%) | |
file45.8.158.71 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file91.92.248.33 | N-W0rm botnet C2 server (confidence level: 100%) | |
file27.124.3.19 | Orcus RAT botnet C2 server (confidence level: 100%) | |
file165.3.113.96 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file103.143.248.179 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file165.3.113.96 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file193.29.13.220 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file139.155.153.109 | Cobalt Strike botnet C2 server (confidence level: 80%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash10001 | Xtreme RAT botnet C2 server (confidence level: 80%) | |
hash22221 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash8834 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash8443 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash8443 | Havoc botnet C2 server (confidence level: 50%) | |
hash45923 | Havoc botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash2222 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash5938 | Pikabot botnet C2 server (confidence level: 50%) | |
hash12460 | NjRAT botnet C2 server (confidence level: 100%) | |
hash12460 | NjRAT botnet C2 server (confidence level: 100%) | |
hash12460 | NjRAT botnet C2 server (confidence level: 100%) | |
hash2025 | Remcos botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash2096 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash15648 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash443 | DanaBot payload delivery server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash13721 | Pikabot botnet C2 server (confidence level: 100%) | |
hash2221 | Pikabot botnet C2 server (confidence level: 100%) | |
hash9785 | Pikabot botnet C2 server (confidence level: 100%) | |
hash13721 | Pikabot botnet C2 server (confidence level: 100%) | |
hash5938 | Pikabot botnet C2 server (confidence level: 100%) | |
hash2333 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash48396 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | DanaBot botnet C2 server (confidence level: 100%) | |
hash35875 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Ficker Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Ficker Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Ficker Stealer botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash2078 | Pikabot botnet C2 server (confidence level: 100%) | |
hash5631 | Pikabot botnet C2 server (confidence level: 100%) | |
hash5243 | Pikabot botnet C2 server (confidence level: 100%) | |
hash2224 | Pikabot botnet C2 server (confidence level: 100%) | |
hash13785 | Pikabot botnet C2 server (confidence level: 100%) | |
hash5632 | Pikabot botnet C2 server (confidence level: 100%) | |
hash5243 | Pikabot botnet C2 server (confidence level: 100%) | |
hash5632 | Pikabot botnet C2 server (confidence level: 100%) | |
hash5243 | Pikabot botnet C2 server (confidence level: 100%) | |
hash23399 | Pikabot botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2223 | Pikabot botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash4426 | Mirai botnet C2 server (confidence level: 75%) | |
hash36295 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | BumbleBee botnet C2 server (confidence level: 75%) | |
hash8099 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash38294 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash8080 | Sliver botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash18080 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash81 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 80%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4782 | N-W0rm botnet C2 server (confidence level: 100%) | |
hash6606 | Orcus RAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash81 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8090 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash5555 | Cobalt Strike botnet C2 server (confidence level: 80%) |
Threat ID: 68359c9a5d5f0974d01e37ee
Added to database: 5/27/2025, 11:06:02 AM
Last enriched: 7/5/2025, 11:10:22 PM
Last updated: 8/13/2025, 2:34:35 AM
Views: 10
Related Threats
ThreatFox IOCs for 2025-08-13
MediumMalwareThu Aug 14 2025
Efimer Trojan Steals Crypto, Hacks WordPress Sites via Torrents and Phishing
MediumMalwareWed Aug 13 2025
Silent Watcher: Dissecting Cmimai Stealer's VBS Payload
MediumMalwareWed Aug 13 2025
CastleLoader Analysis
MediumMalwareWed Aug 13 2025
The Dark Side of Parental Control Apps
MediumMalwareWed Aug 13 2025
Actions
PRO
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Please log in to the Console to use AI analysis features.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.