ThreatFox IOCs for 2024-05-11
ThreatFox IOCs for 2024-05-11
AI Analysis
Technical Summary
The provided threat intelligence concerns a malware-related report titled "ThreatFox IOCs for 2024-05-11," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The report is categorized under the 'osint' product type, indicating it is primarily open-source intelligence focused. There are no specific affected software versions or products listed, and no direct technical details such as attack vectors, payloads, or vulnerabilities are provided. The threat level is indicated as 2 on an unspecified scale, with analysis level 1 and distribution level 3, suggesting moderate dissemination but limited detailed analysis. No known exploits in the wild have been reported, and no Common Weakness Enumerations (CWEs) or patch links are provided. The absence of indicators of compromise (IOCs) in the data limits the ability to perform detailed technical attribution or signature-based detection. The threat is tagged with 'type:osint' and 'tlp:white,' indicating the information is intended for broad sharing without restrictions. Overall, this appears to be a medium-severity malware-related intelligence update with limited technical detail, primarily serving as an alert or informational update rather than a detailed vulnerability or exploit report.
Potential Impact
Given the limited technical details and absence of specific affected products or versions, the potential impact on European organizations is difficult to quantify precisely. However, as a malware-related threat with a medium severity rating and moderate distribution level, it could pose risks to confidentiality, integrity, and availability if exploited. The lack of known exploits in the wild suggests that active attacks are not currently widespread, reducing immediate risk. Nevertheless, organizations relying on OSINT tools or monitoring ThreatFox feeds for threat intelligence should be aware of potential emerging threats. The impact could range from data exfiltration, system compromise, or disruption depending on the malware's capabilities once more details are available. European organizations in critical infrastructure, finance, and government sectors should remain vigilant due to their high-value targets and potential attractiveness to threat actors leveraging malware campaigns.
Mitigation Recommendations
1. Enhance monitoring of ThreatFox and other OSINT platforms to promptly identify updates or new indicators related to this threat. 2. Implement network and endpoint detection tools capable of behavioral analysis to detect unknown or emerging malware, given the lack of specific IOCs. 3. Conduct regular threat hunting exercises focusing on anomalous activities that could indicate malware presence, especially in sectors with high-value assets. 4. Maintain up-to-date backups and incident response plans to mitigate potential impacts of malware infections. 5. Educate security teams on the importance of integrating OSINT-derived intelligence into their security operations to improve situational awareness. 6. Collaborate with information sharing and analysis centers (ISACs) relevant to European industries to exchange intelligence and mitigation strategies. 7. Apply strict access controls and network segmentation to limit malware propagation within organizational environments.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Finland
Indicators of Compromise
- url: http://mindelscott.com/2022/11/11/legal-responsibility-of-a-when-a-dog-attacks-a-cat
- url: https://blixtgordon.se/manual.php
- url: https://blixtgordon.se/manual.php
- domain: blazinghotter.igg.biz
- url: http://studiolegalefalco-masi.it/microsoft-enterprise-purchase-agreement
- url: http://bellbaker.com/guarantor-for-rental-agreement-ontario
- file: 18.192.93.86
- hash: 14858
- url: https://43.153.222.28:4545/cm
- url: https://images-oss-1318291330.cos.ap-beijing.myqcloud.com/images/favicon.ico
- domain: images-oss-1318291330.cos.ap-beijing.myqcloud.com
- file: 46.183.222.118
- hash: 5057
- file: 167.88.174.49
- hash: 8081
- url: http://langtonhowarth.co.uk/2022/12/06/what-color-rock-lights-are-legal-in-florida
- file: 185.17.40.153
- hash: 81
- file: 131.154.128.183
- hash: 8443
- file: 104.200.72.177
- hash: 6513
- file: 103.70.232.240
- hash: 80
- file: 1.161.85.40
- hash: 443
- file: 119.45.38.211
- hash: 8888
- file: 106.52.18.198
- hash: 8888
- file: 185.173.36.71
- hash: 80
- domain: anikvan.com
- domain: boriz400.com
- domain: illoskanawer.com
- file: 95.164.68.73
- hash: 443
- file: 91.194.11.183
- hash: 443
- url: https://anikvan.com/content.php
- url: https://boriz400.com/api/azure
- file: 103.186.117.142
- hash: 1144
- file: 123.99.198.130
- hash: 10299
- file: 115.231.218.42
- hash: 10299
- file: 45.155.250.229
- hash: 80
- file: 79.110.49.244
- hash: 80
- url: http://470927cm.n9shteam3.top/linejavascriptsqltraffic.php
- url: https://countnatbt.site/ywrhzjaxngm1yjfh/
- url: https://mix3etbt.website/ywrhzjaxngm1yjfh/
- url: https://btcountates.fun/ywrhzjaxngm1yjfh/
- url: https://3countbt.pw/ywrhzjaxngm1yjfh/
- url: https://vat-app.su/ywrhzjaxngm1yjfh/
- url: https://alleggro.pw/ywrhzjaxngm1yjfh/
- url: http://asleman.org/2022/03/31/washington-state-medical-assistant-scope-of-practice-laws-legal-overview
- url: http://ikwilvanmijnpoloaf.nl/2023/08/28/how-to-write-money-agreement
- url: https://blog.demuthphoto.com/manual.php
- url: https://blog.demuthphoto.com/manual.php
- url: https://blog.demuthphoto.com/manual.php
- url: https://blog.demuthphoto.com/manual.php
- url: http://a0929453.xsph.ru/a448b41e.php
- url: http://smallders.com/ar/understanding-ohio-forced-medication-laws-what-you-need-to-know
- url: http://lumiere.grupotyc.com/orange-coast-title-company-license-number-legal-title-services
- url: http://8.137.116.204:8888/__utm.gif
- url: https://124.220.19.159/ie9compatviewlist.xml
- url: http://a0941925.xsph.ru/e7ea97c6.php
- domain: krampus-executor.org
- url: https://github.com/sendgrid/krampus/files/15199097/krampus.zip
- url: http://80.66.81.134/api/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms
- file: 80.66.81.134
- hash: 80
- hash: 4833e3f6c520312f6cc2716fb89a31c86e143e410305ffdff072786bce948e0c
- file: 146.70.158.83
- hash: 80
- url: http://044913cm.n9shteam2.top/eternalprotectdefault.php
- file: 176.123.161.158
- hash: 1337
- url: http://a0946931.xsph.ru/_defaultwindows.php
- file: 54.80.154.23
- hash: 80
- domain: higomanga.info
- file: 45.76.153.153
- hash: 80
- url: https://blog.enghauser.de/manual.php
- url: https://nt-stealers.com/login
- domain: nt-stealers.com
- url: https://ferocanhackerr.net/yti3ntjmywy0mwe2/
- url: https://ferocandelimisin.com/yti3ntjmywy0mwe2/
- url: https://ferocanaseviyor.net/yti3ntjmywy0mwe2/
- url: https://ferocansinyalcimisinla.com/yti3ntjmywy0mwe2/
- url: https://ferocanagahacibaba.net/yti3ntjmywy0mwe2/
- url: https://bananamanana.org/ote5mzgxywzinjk1/
- url: https://spedarito.top/ote5mzgxywzinjk1/
- url: https://melonna.top/ote5mzgxywzinjk1/
- url: https://spritecocola.top/ote5mzgxywzinjk1/
- url: https://meibuzjasta.top/ote5mzgxywzinjk1/
- url: https://makcolanivaesto.top/ote5mzgxywzinjk1/
- url: https://birimammonedm.top/ote5mzgxywzinjk1/
- url: http://cq77272.tw1.ru/_defaultwindows.php
- file: 105.155.173.158
- hash: 10000
- url: http://84.247.155.115/updates.rss
- url: https://139.9.62.19/metro91/admin/1/ppptp.jpg
- url: https://23.227.203.189/functionalstatus/mcvq-9f5hgl92ma7ouczvcz
- file: 23.227.203.189
- hash: 443
- url: http://139.9.62.19/metro91/admin/1/ppptp.jpg
- url: http://188.116.22.177/cx
- url: https://118.25.85.49:6443/push
- url: https://d2ewlfde9nvzf.cloudfront.net/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- domain: d2ewlfde9nvzf.cloudfront.net
- url: https://d1v4b6pbk0kwvw.cloudfront.net/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- domain: d1v4b6pbk0kwvw.cloudfront.net
- url: https://wraimey.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- domain: wraimey.com
- url: http://88.214.26.29:8001/push
- url: https://101.201.54.74:9999/ga.js
- file: 125.73.208.47
- hash: 4505
- url: https://101.201.54.74/__utm.gif
- url: https://104.236.69.99/c/msdownload/update/others/2016/12/29136388_
- file: 52.83.56.72
- hash: 443
- url: http://173.249.196.234/pixel.gif
- file: 5.189.152.51
- hash: 80
- url: http://47.108.153.69:7777/fwlink
- file: 149.154.158.222
- hash: 36884
- url: http://47.108.137.190/_/scs/mail-static/_/js/
- file: 185.234.216.209
- hash: 20023
- file: 172.172.150.146
- hash: 443
- file: 43.155.16.246
- hash: 443
- file: 172.81.61.224
- hash: 443
- file: 178.128.170.218
- hash: 443
- file: 13.231.126.178
- hash: 443
- url: http://111.231.21.83/ptj
- url: http://147.135.211.38/en_us/all.js
- file: 85.104.36.117
- hash: 443
- url: http://104.236.69.99/c/msdownload/update/others/2016/12/29136388_
- file: 107.167.18.6
- hash: 7979
- url: http://43.153.222.28:433/cx
- file: 107.167.18.3
- hash: 7979
- file: 107.167.18.4
- hash: 7979
- file: 107.167.18.2
- hash: 7979
- file: 118.25.101.81
- hash: 8888
- url: http://124.223.220.137:8080/match
- file: 43.159.230.147
- hash: 8888
- url: https://43.153.222.28:4545/dot.gif
- url: https://124.222.52.190/updates.rss
- file: 120.55.100.239
- hash: 8888
- file: 8.130.135.45
- hash: 8888
- url: https://103.150.10.45:8443/fwlink
- file: 91.92.250.224
- hash: 80
- url: http://8.141.13.130:8089/visit.js
- file: 103.21.88.14
- hash: 50555
- file: 103.21.88.13
- hash: 50555
- url: http://8.219.229.99/fwlink
- url: https://1.117.93.65:8443/pixel
- url: https://8.219.229.99/j.ad
- url: http://1.14.204.208/dot.gif
- url: http://49.235.118.195/dpixel
- url: http://110.41.21.173/pixel.gif
- url: http://8.141.13.130:8098/en_us/all.js
- url: http://192.168.183.131/dot.gif
- url: http://101.201.54.74:1234/fwlink
- url: http://124.222.52.190:8880/cx
- url: http://124.222.36.180/dot.gif
- file: 95.217.242.180
- hash: 443
- file: 91.92.250.227
- hash: 6606
- url: https://111.229.209.159/microsoft/owa/
- file: 111.229.209.159
- hash: 443
- url: https://43.143.193.228/jquery-3.3.1.min.js
- file: 43.143.193.228
- hash: 443
- url: http://122.10.105.51:808/updates.rss
- url: https://1c-marketing.top/v1
- domain: 1c-marketing.top
- url: https://microstar.cfd/task
- domain: microstar.cfd
- url: https://action-winds.cfd/data
- domain: action-winds.cfd
- file: 185.196.8.18
- hash: 443
- url: https://service-1bsjckga-1252578700.gz.tencentapigw.com.cn/api/x
- domain: service-1bsjckga-1252578700.gz.tencentapigw.com.cn
- file: 113.31.105.33
- hash: 443
- url: https://51.89.72.183/index.htm
- file: 51.89.72.183
- hash: 443
- url: http://154.204.180.125/activity
- file: 154.204.180.125
- hash: 80
- url: http://111.230.98.22:2222/fwlink
- url: https://43.156.13.20/rewardsapp/ncfooter
- file: 43.156.13.20
- hash: 443
- url: https://34.92.137.73/ptj
- file: 34.92.137.73
- hash: 443
- file: 54.82.65.203
- hash: 80
- url: https://154.44.24.21:8443/dot.gif
- url: http://43.136.71.208:8054/api/methon/scan
ThreatFox IOCs for 2024-05-11
Description
ThreatFox IOCs for 2024-05-11
AI-Powered Analysis
Technical Analysis
The provided threat intelligence concerns a malware-related report titled "ThreatFox IOCs for 2024-05-11," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The report is categorized under the 'osint' product type, indicating it is primarily open-source intelligence focused. There are no specific affected software versions or products listed, and no direct technical details such as attack vectors, payloads, or vulnerabilities are provided. The threat level is indicated as 2 on an unspecified scale, with analysis level 1 and distribution level 3, suggesting moderate dissemination but limited detailed analysis. No known exploits in the wild have been reported, and no Common Weakness Enumerations (CWEs) or patch links are provided. The absence of indicators of compromise (IOCs) in the data limits the ability to perform detailed technical attribution or signature-based detection. The threat is tagged with 'type:osint' and 'tlp:white,' indicating the information is intended for broad sharing without restrictions. Overall, this appears to be a medium-severity malware-related intelligence update with limited technical detail, primarily serving as an alert or informational update rather than a detailed vulnerability or exploit report.
Potential Impact
Given the limited technical details and absence of specific affected products or versions, the potential impact on European organizations is difficult to quantify precisely. However, as a malware-related threat with a medium severity rating and moderate distribution level, it could pose risks to confidentiality, integrity, and availability if exploited. The lack of known exploits in the wild suggests that active attacks are not currently widespread, reducing immediate risk. Nevertheless, organizations relying on OSINT tools or monitoring ThreatFox feeds for threat intelligence should be aware of potential emerging threats. The impact could range from data exfiltration, system compromise, or disruption depending on the malware's capabilities once more details are available. European organizations in critical infrastructure, finance, and government sectors should remain vigilant due to their high-value targets and potential attractiveness to threat actors leveraging malware campaigns.
Mitigation Recommendations
1. Enhance monitoring of ThreatFox and other OSINT platforms to promptly identify updates or new indicators related to this threat. 2. Implement network and endpoint detection tools capable of behavioral analysis to detect unknown or emerging malware, given the lack of specific IOCs. 3. Conduct regular threat hunting exercises focusing on anomalous activities that could indicate malware presence, especially in sectors with high-value assets. 4. Maintain up-to-date backups and incident response plans to mitigate potential impacts of malware infections. 5. Educate security teams on the importance of integrating OSINT-derived intelligence into their security operations to improve situational awareness. 6. Collaborate with information sharing and analysis centers (ISACs) relevant to European industries to exchange intelligence and mitigation strategies. 7. Apply strict access controls and network segmentation to limit malware propagation within organizational environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- f3b68713-63e5-411d-9a3f-a6edc16ff211
- Original Timestamp
- 1715472188
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://mindelscott.com/2022/11/11/legal-responsibility-of-a-when-a-dog-attacks-a-cat | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://blixtgordon.se/manual.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://blixtgordon.se/manual.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://studiolegalefalco-masi.it/microsoft-enterprise-purchase-agreement | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://bellbaker.com/guarantor-for-rental-agreement-ontario | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://43.153.222.28:4545/cm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://images-oss-1318291330.cos.ap-beijing.myqcloud.com/images/favicon.ico | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://langtonhowarth.co.uk/2022/12/06/what-color-rock-lights-are-legal-in-florida | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://anikvan.com/content.php | Unidentified 111 (Latrodectus) botnet C2 (confidence level: 100%) | |
urlhttps://boriz400.com/api/azure | Unidentified 111 (Latrodectus) botnet C2 (confidence level: 100%) | |
urlhttp://470927cm.n9shteam3.top/linejavascriptsqltraffic.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://countnatbt.site/ywrhzjaxngm1yjfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://mix3etbt.website/ywrhzjaxngm1yjfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://btcountates.fun/ywrhzjaxngm1yjfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://3countbt.pw/ywrhzjaxngm1yjfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://vat-app.su/ywrhzjaxngm1yjfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://alleggro.pw/ywrhzjaxngm1yjfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttp://asleman.org/2022/03/31/washington-state-medical-assistant-scope-of-practice-laws-legal-overview | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://ikwilvanmijnpoloaf.nl/2023/08/28/how-to-write-money-agreement | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://blog.demuthphoto.com/manual.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://blog.demuthphoto.com/manual.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://blog.demuthphoto.com/manual.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://blog.demuthphoto.com/manual.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://a0929453.xsph.ru/a448b41e.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://smallders.com/ar/understanding-ohio-forced-medication-laws-what-you-need-to-know | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://lumiere.grupotyc.com/orange-coast-title-company-license-number-legal-title-services | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://8.137.116.204:8888/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.220.19.159/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://a0941925.xsph.ru/e7ea97c6.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://github.com/sendgrid/krampus/files/15199097/krampus.zip | SmartLoader payload delivery URL (confidence level: 100%) | |
urlhttp://80.66.81.134/api/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms | SmartLoader botnet C2 (confidence level: 100%) | |
urlhttp://044913cm.n9shteam2.top/eternalprotectdefault.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://a0946931.xsph.ru/_defaultwindows.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://blog.enghauser.de/manual.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://nt-stealers.com/login | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://ferocanhackerr.net/yti3ntjmywy0mwe2/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://ferocandelimisin.com/yti3ntjmywy0mwe2/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://ferocanaseviyor.net/yti3ntjmywy0mwe2/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://ferocansinyalcimisinla.com/yti3ntjmywy0mwe2/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://ferocanagahacibaba.net/yti3ntjmywy0mwe2/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://bananamanana.org/ote5mzgxywzinjk1/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://spedarito.top/ote5mzgxywzinjk1/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://melonna.top/ote5mzgxywzinjk1/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://spritecocola.top/ote5mzgxywzinjk1/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://meibuzjasta.top/ote5mzgxywzinjk1/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://makcolanivaesto.top/ote5mzgxywzinjk1/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://birimammonedm.top/ote5mzgxywzinjk1/ | Coper botnet C2 (confidence level: 80%) | |
urlhttp://cq77272.tw1.ru/_defaultwindows.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://84.247.155.115/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://139.9.62.19/metro91/admin/1/ppptp.jpg | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://23.227.203.189/functionalstatus/mcvq-9f5hgl92ma7ouczvcz | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://139.9.62.19/metro91/admin/1/ppptp.jpg | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://188.116.22.177/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://118.25.85.49:6443/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://d2ewlfde9nvzf.cloudfront.net/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://d1v4b6pbk0kwvw.cloudfront.net/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://wraimey.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://88.214.26.29:8001/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.201.54.74:9999/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.201.54.74/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://104.236.69.99/c/msdownload/update/others/2016/12/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://173.249.196.234/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.108.153.69:7777/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://47.108.137.190/_/scs/mail-static/_/js/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://111.231.21.83/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://147.135.211.38/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://104.236.69.99/c/msdownload/update/others/2016/12/29136388_ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.153.222.28:433/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.223.220.137:8080/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.153.222.28:4545/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.222.52.190/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://103.150.10.45:8443/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.141.13.130:8089/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.219.229.99/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://1.117.93.65:8443/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://8.219.229.99/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.14.204.208/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://49.235.118.195/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://110.41.21.173/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://8.141.13.130:8098/en_us/all.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://192.168.183.131/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.201.54.74:1234/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.222.52.190:8880/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.222.36.180/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://111.229.209.159/microsoft/owa/ | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.143.193.228/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://122.10.105.51:808/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://1c-marketing.top/v1 | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://microstar.cfd/task | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://action-winds.cfd/data | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://service-1bsjckga-1252578700.gz.tencentapigw.com.cn/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://51.89.72.183/index.htm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://154.204.180.125/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://111.230.98.22:2222/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://43.156.13.20/rewardsapp/ncfooter | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://34.92.137.73/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://154.44.24.21:8443/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.136.71.208:8054/api/methon/scan | Cobalt Strike botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainblazinghotter.igg.biz | Loki Password Stealer (PWS) botnet C2 domain (confidence level: 75%) | |
domainimages-oss-1318291330.cos.ap-beijing.myqcloud.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainanikvan.com | Unidentified 111 (Latrodectus) botnet C2 domain (confidence level: 100%) | |
domainboriz400.com | Unidentified 111 (Latrodectus) botnet C2 domain (confidence level: 100%) | |
domainilloskanawer.com | Unidentified 111 (Latrodectus) botnet C2 domain (confidence level: 100%) | |
domainkrampus-executor.org | SmartLoader payload delivery domain (confidence level: 100%) | |
domainhigomanga.info | Loki Password Stealer (PWS) botnet C2 domain (confidence level: 75%) | |
domainnt-stealers.com | Unknown malware botnet C2 domain (confidence level: 100%) | |
domaind2ewlfde9nvzf.cloudfront.net | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaind1v4b6pbk0kwvw.cloudfront.net | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwraimey.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domain1c-marketing.top | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainmicrostar.cfd | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainaction-winds.cfd | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-1bsjckga-1252578700.gz.tencentapigw.com.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file18.192.93.86 | NjRAT botnet C2 server (confidence level: 75%) | |
file46.183.222.118 | Remcos botnet C2 server (confidence level: 100%) | |
file167.88.174.49 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file185.17.40.153 | Sliver botnet C2 server (confidence level: 50%) | |
file131.154.128.183 | Deimos botnet C2 server (confidence level: 50%) | |
file104.200.72.177 | BianLian botnet C2 server (confidence level: 50%) | |
file103.70.232.240 | Responder botnet C2 server (confidence level: 50%) | |
file1.161.85.40 | QakBot botnet C2 server (confidence level: 50%) | |
file119.45.38.211 | Unknown malware botnet C2 server (confidence level: 50%) | |
file106.52.18.198 | Unknown malware botnet C2 server (confidence level: 50%) | |
file185.173.36.71 | Unknown malware botnet C2 server (confidence level: 50%) | |
file95.164.68.73 | Unidentified 111 (Latrodectus) botnet C2 server (confidence level: 75%) | |
file91.194.11.183 | Unidentified 111 (Latrodectus) botnet C2 server (confidence level: 75%) | |
file103.186.117.142 | Remcos botnet C2 server (confidence level: 100%) | |
file123.99.198.130 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file115.231.218.42 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file45.155.250.229 | Socks5 Systemz botnet C2 server (confidence level: 100%) | |
file79.110.49.244 | Socks5 Systemz botnet C2 server (confidence level: 100%) | |
file80.66.81.134 | SmartLoader botnet C2 server (confidence level: 100%) | |
file146.70.158.83 | solarmarker botnet C2 server (confidence level: 100%) | |
file176.123.161.158 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file54.80.154.23 | Loki Password Stealer (PWS) botnet C2 server (confidence level: 75%) | |
file45.76.153.153 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file105.155.173.158 | NjRAT botnet C2 server (confidence level: 100%) | |
file23.227.203.189 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file125.73.208.47 | Deimos botnet C2 server (confidence level: 50%) | |
file52.83.56.72 | Deimos botnet C2 server (confidence level: 50%) | |
file5.189.152.51 | Deimos botnet C2 server (confidence level: 50%) | |
file149.154.158.222 | BianLian botnet C2 server (confidence level: 50%) | |
file185.234.216.209 | BianLian botnet C2 server (confidence level: 50%) | |
file172.172.150.146 | Havoc botnet C2 server (confidence level: 50%) | |
file43.155.16.246 | Havoc botnet C2 server (confidence level: 50%) | |
file172.81.61.224 | Havoc botnet C2 server (confidence level: 50%) | |
file178.128.170.218 | Havoc botnet C2 server (confidence level: 50%) | |
file13.231.126.178 | Havoc botnet C2 server (confidence level: 50%) | |
file85.104.36.117 | QakBot botnet C2 server (confidence level: 50%) | |
file107.167.18.6 | DCRat botnet C2 server (confidence level: 50%) | |
file107.167.18.3 | DCRat botnet C2 server (confidence level: 50%) | |
file107.167.18.4 | DCRat botnet C2 server (confidence level: 50%) | |
file107.167.18.2 | DCRat botnet C2 server (confidence level: 50%) | |
file118.25.101.81 | Unknown malware botnet C2 server (confidence level: 50%) | |
file43.159.230.147 | Unknown malware botnet C2 server (confidence level: 50%) | |
file120.55.100.239 | Unknown malware botnet C2 server (confidence level: 50%) | |
file8.130.135.45 | Unknown malware botnet C2 server (confidence level: 50%) | |
file91.92.250.224 | Meduza Stealer botnet C2 server (confidence level: 50%) | |
file103.21.88.14 | Unknown malware botnet C2 server (confidence level: 50%) | |
file103.21.88.13 | Unknown malware botnet C2 server (confidence level: 50%) | |
file95.217.242.180 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file91.92.250.227 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file111.229.209.159 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.143.193.228 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.196.8.18 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file113.31.105.33 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file51.89.72.183 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.204.180.125 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.156.13.20 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file34.92.137.73 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file54.82.65.203 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash14858 | NjRAT botnet C2 server (confidence level: 75%) | |
hash5057 | Remcos botnet C2 server (confidence level: 100%) | |
hash8081 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash81 | Sliver botnet C2 server (confidence level: 50%) | |
hash8443 | Deimos botnet C2 server (confidence level: 50%) | |
hash6513 | BianLian botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | Unidentified 111 (Latrodectus) botnet C2 server (confidence level: 75%) | |
hash443 | Unidentified 111 (Latrodectus) botnet C2 server (confidence level: 75%) | |
hash1144 | Remcos botnet C2 server (confidence level: 100%) | |
hash10299 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash10299 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash80 | Socks5 Systemz botnet C2 server (confidence level: 100%) | |
hash80 | Socks5 Systemz botnet C2 server (confidence level: 100%) | |
hash80 | SmartLoader botnet C2 server (confidence level: 100%) | |
hash4833e3f6c520312f6cc2716fb89a31c86e143e410305ffdff072786bce948e0c | SmartLoader payload (confidence level: 100%) | |
hash80 | solarmarker botnet C2 server (confidence level: 100%) | |
hash1337 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Loki Password Stealer (PWS) botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash10000 | NjRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4505 | Deimos botnet C2 server (confidence level: 50%) | |
hash443 | Deimos botnet C2 server (confidence level: 50%) | |
hash80 | Deimos botnet C2 server (confidence level: 50%) | |
hash36884 | BianLian botnet C2 server (confidence level: 50%) | |
hash20023 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash7979 | DCRat botnet C2 server (confidence level: 50%) | |
hash7979 | DCRat botnet C2 server (confidence level: 50%) | |
hash7979 | DCRat botnet C2 server (confidence level: 50%) | |
hash7979 | DCRat botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | Meduza Stealer botnet C2 server (confidence level: 50%) | |
hash50555 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash50555 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Threat ID: 682c7ab9e3e6de8ceb742b8a
Added to database: 5/20/2025, 12:51:05 PM
Last enriched: 6/19/2025, 1:04:00 PM
Last updated: 8/16/2025, 5:08:36 PM
Views: 15
Related Threats
ThreatFox IOCs for 2025-08-18
MediumFake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.