ThreatFox IOCs for 2024-06-08
ThreatFox IOCs for 2024-06-08
AI Analysis
Technical Summary
The provided threat information pertains to a set of Indicators of Compromise (IOCs) published on June 8, 2024, by ThreatFox, a platform specializing in sharing threat intelligence data. The threat is classified as malware-related, specifically within the domain of OSINT (Open Source Intelligence), network activity, and payload delivery. However, no specific affected software versions or products are identified, and no direct exploits or patches are available. The threat level is indicated as 2 on an unspecified scale, with moderate analysis and distribution scores, suggesting a moderate presence or dissemination in the wild but without confirmed active exploitation. The absence of known exploits and patches implies that this threat currently represents intelligence data rather than an active, widespread malware campaign. The technical details and tags emphasize the nature of the threat as related to OSINT activities, likely involving the collection or dissemination of malicious payloads or network indicators that could be used for further attacks or reconnaissance. The lack of concrete indicators or CWEs (Common Weakness Enumerations) limits the ability to pinpoint exact attack vectors or vulnerabilities. Overall, this threat appears to be an intelligence report highlighting potential or emerging malware-related network activities rather than a direct, active malware infection vector at this time.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the absence of known active exploits or targeted affected products. However, the presence of OSINT-related malware and network activity indicators suggests a potential risk for reconnaissance and preparatory stages of cyberattacks. Organizations involved in critical infrastructure, government, finance, and technology sectors could be indirectly impacted if threat actors leverage these IOCs to craft targeted payload delivery mechanisms or network intrusions. The medium severity rating indicates a moderate risk level, primarily from the perspective of threat intelligence and early warning rather than immediate operational disruption. European entities that rely heavily on open-source intelligence for security monitoring or threat hunting may find value in integrating these IOCs to enhance detection capabilities. The lack of patches or direct exploit information means that the threat currently poses more of a surveillance and information-gathering risk rather than immediate compromise or data loss. Nonetheless, the potential for escalation exists if threat actors develop active exploits based on these indicators.
Mitigation Recommendations
Given the nature of this threat as OSINT-related malware indicators without active exploits, mitigation should focus on enhancing detection and early warning capabilities rather than patching or direct remediation. Specific recommendations include: 1) Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and threat intelligence platforms to improve detection of related network activity and payload delivery attempts. 2) Conduct regular threat hunting exercises using these IOCs to identify any early signs of compromise or reconnaissance within the network. 3) Strengthen network segmentation and monitoring to limit the impact of any potential payload delivery or lateral movement attempts. 4) Educate security teams on the evolving nature of OSINT-based threats and encourage proactive monitoring of ThreatFox and similar platforms for updated intelligence. 5) Implement strict egress filtering and anomaly detection to identify unusual outbound communications that may indicate data exfiltration or command and control activity. 6) Maintain up-to-date endpoint detection and response (EDR) solutions capable of identifying suspicious payloads or behaviors associated with emerging malware threats. These measures go beyond generic advice by focusing on leveraging threat intelligence integration and proactive detection tailored to OSINT-related malware indicators.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- url: https://dcc.olcrv.com/login/tologin
- file: 3.125.223.134
- hash: 12374
- url: https://83.97.73.39/ytyxnjljzdi1yzfh/
- url: https://97felu2ehv0r5iff3cslcamel.store/ytyxnjljzdi1yzfh/
- url: https://6zimks6know8jihvtoa8camel.store/ytyxnjljzdi1yzfh/
- url: https://3w0mi18gkfrf6l8a8d09camel.store/ytyxnjljzdi1yzfh/
- url: https://brfw0g97s9mwun8juhb0camel.store/ytyxnjljzdi1yzfh/
- url: https://re5bvyc4l6004tqmtzp4camel.store/ytyxnjljzdi1yzfh/
- url: https://k6fvq8c11dqqjd446ck9camel.store/ytyxnjljzdi1yzfh/
- url: https://7l19jlu5trkqndh24li4camel.store/ytyxnjljzdi1yzfh/
- url: https://pq2trelsquu44xbpritocamel.store/ytyxnjljzdi1yzfh/
- url: https://wlw7obu15d6ru3eqy3o8camel.store/ytyxnjljzdi1yzfh/
- url: https://hqj6lhsgcnuxfnlj5y95camel.store/ytyxnjljzdi1yzfh/
- url: https://inat-protv-box.net.tr/ytyxnjljzdi1yzfh/
- url: https://hvamkulturogforsamlingshus.dk/reports.php
- url: https://hvamkulturogforsamlingshus.dk/reports.php
- url: https://hvamkulturogforsamlingshus.dk/reports.php
- url: https://hvamkulturogforsamlingshus.dk/reports.php
- url: http://saasfeerentals.com/stamping-fee-for-sp-agreement
- url: https://i-likeitalot.com/reports.php
- file: 154.12.93.14
- hash: 1153
- url: https://ikenouedojo.com/reports.php
- url: https://47.92.24.58:8001/pixel
- file: 4.203.104.98
- hash: 1024
- file: 138.162.7.28
- hash: 8000
- file: 136.144.162.236
- hash: 8888
- file: 92.243.64.130
- hash: 31205
- file: 104.238.61.20
- hash: 80
- file: 93.123.39.194
- hash: 443
- file: 82.168.162.65
- hash: 443
- file: 39.96.169.89
- hash: 443
- file: 46.246.14.21
- hash: 9000
- file: 16.16.206.231
- hash: 4444
- url: https://64.7.199.88:10443/dot.gif
- url: http://213.109.202.188/load
- url: https://23.95.65.198/push
- domain: assets.rdntocdns.com
- domain: cdn.rdntocdns.com
- domain: css.rdntocdns.com
- domain: rest1.rdntocdns.com
- domain: rest2.rdntocdns.com
- url: http://content.microsoft.com.w.kunlunca.com/pixel.gif
- url: http://23.95.65.198:2222/activity
- url: http://101.35.42.157/load
- url: https://intranat.vhfk.se/reports.php
- url: http://39.104.230.184:6668/ga.js
- url: http://111.231.51.250:9090/activity
- url: http://89.116.48.173:9999/pixel.gif
- url: http://service-o1dc3wx3-1311799005.bj.tencentapigw.com.cn/api/x
- domain: service-o1dc3wx3-1311799005.bj.tencentapigw.com.cn
- file: 43.138.143.146
- hash: 80
- url: http://112.124.5.135:1234/ie9compatviewlist.xml
- file: 124.71.153.115
- hash: 4444
- url: http://106.52.130.164:8080/updates
- url: https://47.239.1.232/jquery-3.3.1.min.js
- file: 47.239.1.232
- hash: 443
- url: http://4.191.74.1/dpixel
- url: https://124.71.153.149/assets/css/font-awesome.css
- file: 124.71.153.149
- hash: 443
- url: http://124.71.153.115/pixel
- file: 124.71.153.115
- hash: 80
- url: https://61.170.80.230/jquery-3.3.1.min.js
- url: https://180.213.179.141/jquery-3.3.1.min.js
- url: https://120.195.185.112/jquery-3.3.1.min.js
- url: https://118.182.226.161/jquery-3.3.1.min.js
- url: https://61.170.81.233/jquery-3.3.1.min.js
- url: https://27.37.200.237/jquery-3.3.1.min.js
- url: https://101.226.26.147/jquery-3.3.1.min.js
- file: 47.97.79.97
- hash: 443
- url: https://185.186.146.25/ca
- file: 185.186.146.25
- hash: 443
- domain: v7yen47u2e.xyz
- url: http://exotours.in/read-agreement-of-being-gay-for-30-days
- url: https://cs.xfdaili.com/g.pixel
- file: 154.12.26.80
- hash: 443
- file: 37.44.238.75
- hash: 81
- file: 47.103.52.146
- hash: 443
- file: 105.105.234.158
- hash: 555
- file: 158.160.11.208
- hash: 443
- url: http://154.198.245.62/visit.js
- file: 154.198.245.62
- hash: 80
- url: https://134.122.75.115:444/push
- url: https://23.95.65.198/g.pixel
- file: 3.64.4.198
- hash: 13678
- file: 3.125.102.39
- hash: 17046
- url: https://iheartredteams.com/fwlink
- url: https://www.platypus-verlag.ch/wisconsin-tax-installment-agreement/
- url: https://labstyl.nazwa.pl/reports.php
- url: https://ktweb.home.pl/reports.php
- url: https://bloriz.prestador-xp.services/
- url: https://blufel2.nenaviste.org/
- url: https://blulunwinim.neskodny.builders/
- url: https://blumol3.maxtel.solutions/
- url: https://bluronbonxil.cuidadofinanceiro.agency/
- url: https://bluronpal.maxtel.solutions/
- url: https://brubenbonzol183.prestador-xp.services/
- url: https://brucal.nenaviste.org/
- url: https://brudensintal.vistoriaveicular.chat/
- url: https://brudiz.neskodny.builders/
- url: https://brudiz.vistoriaveicular.chat/
- url: https://brumengonwel.abastecimentoonline.chat/
- url: https://brumol164.fazenda-sps.one/
- url: https://brusonroncol.chamadoregional.solutions/
- url: https://brutonlanfer.maxtel.solutions/
- url: https://brutonlinjal.nenaviste.org/
- url: https://clahenkil037.fazenda-sps.one/
- url: https://clananbel.neskodny.builders/
- url: https://clegongor2.prestador-xp.services/
- url: https://cleriz.prestador-xp.services/
- url: https://clesonqual.vistoriaveicular.chat/
- url: https://cracal.cuidadofinanceiro.agency/
- url: https://cracal.nenaviste.org/
- url: https://cramengonwel143.businessgreat.one/
- url: https://crapennal24.prestador-xp.services/
- url: https://crasonnal.cuidadofinanceiro.agency/
- url: https://crasonqual.atende-br.chat/
- url: https://crediz.atende-br.chat/
- url: https://cresonrol761.vistoriaveicular.chat/
- url: https://cretonpaz.vistoriaveicular.chat/
- url: https://crical.chamadoregional.solutions/
- url: https://criel.cuidadofinanceiro.agency/
- url: https://crironcindor3.vistoriaveicular.chat/
- url: https://crironnonbil3.businessgreat.one/
- url: https://crisonlinder.neskodny.builders/
- url: https://crocal3.fazenda-sps.one/
- url: https://crofer.prestador-xp.services/
- url: https://crohal.fazenda-sps.one/
- url: https://crojal.cuidadofinanceiro.agency/
- url: https://cronanbel.vistoriaveicular.chat/
- url: https://croringungem.vistoriaveicular.chat/
- url: https://croronqual225.vistoriaveicular.chat/
- url: https://crosonpal.businessgreat.one/
- url: https://crotal.maxtel.solutions/
- url: https://crotunlinder.chamadoregional.solutions/
- url: https://crovaz.abastecimentoonline.chat/
- url: https://drabel4.maxtel.solutions/
- url: https://dralundinnal.chamadoregional.solutions/
- url: https://dratunlinfil.fazenda-sps.one/
- url: https://dratunmintil.fazenda-sps.one/
- url: https://drejal.chamadoregional.solutions/
- url: https://drelunral38.maxtel.solutions/
- url: https://dresonnal4.abastecimentoonline.chat/
- url: https://drocangoncol.businessgreat.one/
- url: https://drocansal.fazenda-sps.one/
- url: https://dromongongor.businessgreat.one/
- url: https://dromonnancal.atende-br.chat/
- url: https://drosonfinfel.nenaviste.org/
- domain: abastecimentoonline.chat
- domain: atende-br.chat
- domain: businessgreat.one
- domain: chamadoregional.solutions
- domain: cuidadofinanceiro.agency
- domain: fazenda-sps.one
- domain: maxtel.solutions
- domain: nenaviste.org
- domain: neskodny.builders
- domain: prestador-xp.services
- domain: vistoriaveicular.chat
- file: 51.81.30.54
- hash: 7707
- domain: cv2b8uz46e.xyz
- file: 18.157.68.73
- hash: 17435
- file: 18.156.13.209
- hash: 17435
- domain: b9y3b7ner2.xyz
- url: http://23.88.106.134/6a9f8e2503d99c04.php
- url: https://goodstos.com/agreement-side-effects/
- url: https://lilabrand.com/reports.php
- file: 152.53.20.106
- hash: 31337
- file: 152.53.20.106
- hash: 8888
- file: 84.129.151.24
- hash: 3389
- url: http://110.42.249.222:6666/jquery-3.3.1.min.js
- url: https://hospitalstorage.azureedge.net/git.asp
- domain: hospitalstorage.azureedge.net
- file: 159.89.46.205
- hash: 443
- url: https://34.92.25.154:8443/match
- url: https://candycappa.store/remove
- domain: candycappa.store
- file: 193.124.33.239
- hash: 443
- url: https://bad-week-gw.aws-usw2.cloud-ara.tyk.io/api/v2/login
- domain: bad-week-gw.aws-usw2.cloud-ara.tyk.io
- url: http://58.53.128.67:82/fwlink
- file: 13.49.238.38
- hash: 443
- url: http://20.244.96.7/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- file: 20.244.96.7
- hash: 80
- url: http://146.70.149.42:9999/j.ad
- url: http://97.64.18.185:3333/ca
- url: http://118.89.200.169/activity
- file: 118.89.200.169
- hash: 80
- file: 78.178.72.163
- hash: 443
- url: http://185.22.152.167:8868/cx
- file: 46.246.84.18
- hash: 9000
- url: https://sanhaozhifu.top:8443/jquery-3.3.1.min.js
- domain: sanhaozhifu.top
- file: 165.3.87.196
- hash: 8443
- url: https://47.92.162.69/mall_100_100.html
- file: 47.92.162.69
- hash: 443
- url: http://54.169.254.221/j.ad
- file: 54.169.254.221
- hash: 80
- file: 74.48.45.204
- hash: 8888
- url: http://58.137.140.238/g.pixel
- file: 58.137.140.238
- hash: 80
- file: 77.221.157.6
- hash: 80
- url: http://49.232.249.109:81/cx
- url: https://124.71.102.140/load
- file: 124.71.102.140
- hash: 443
- file: 185.119.196.100
- hash: 80
- file: 101.126.91.145
- hash: 443
- file: 77.83.196.180
- hash: 443
- url: http://38.180.165.153/7providerlinux/cdngenerator/jspacketupdateprocessorserverprotecttraffictestdatalifeuploads.php
- file: 18.229.248.167
- hash: 15352
- file: 5.180.148.45
- hash: 7159
- url: http://505732cm.n9shteam2.top/updatesqldb.php
- file: 18.231.93.153
- hash: 15352
- file: 45.137.22.111
- hash: 55615
ThreatFox IOCs for 2024-06-08
Description
ThreatFox IOCs for 2024-06-08
AI-Powered Analysis
Technical Analysis
The provided threat information pertains to a set of Indicators of Compromise (IOCs) published on June 8, 2024, by ThreatFox, a platform specializing in sharing threat intelligence data. The threat is classified as malware-related, specifically within the domain of OSINT (Open Source Intelligence), network activity, and payload delivery. However, no specific affected software versions or products are identified, and no direct exploits or patches are available. The threat level is indicated as 2 on an unspecified scale, with moderate analysis and distribution scores, suggesting a moderate presence or dissemination in the wild but without confirmed active exploitation. The absence of known exploits and patches implies that this threat currently represents intelligence data rather than an active, widespread malware campaign. The technical details and tags emphasize the nature of the threat as related to OSINT activities, likely involving the collection or dissemination of malicious payloads or network indicators that could be used for further attacks or reconnaissance. The lack of concrete indicators or CWEs (Common Weakness Enumerations) limits the ability to pinpoint exact attack vectors or vulnerabilities. Overall, this threat appears to be an intelligence report highlighting potential or emerging malware-related network activities rather than a direct, active malware infection vector at this time.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the absence of known active exploits or targeted affected products. However, the presence of OSINT-related malware and network activity indicators suggests a potential risk for reconnaissance and preparatory stages of cyberattacks. Organizations involved in critical infrastructure, government, finance, and technology sectors could be indirectly impacted if threat actors leverage these IOCs to craft targeted payload delivery mechanisms or network intrusions. The medium severity rating indicates a moderate risk level, primarily from the perspective of threat intelligence and early warning rather than immediate operational disruption. European entities that rely heavily on open-source intelligence for security monitoring or threat hunting may find value in integrating these IOCs to enhance detection capabilities. The lack of patches or direct exploit information means that the threat currently poses more of a surveillance and information-gathering risk rather than immediate compromise or data loss. Nonetheless, the potential for escalation exists if threat actors develop active exploits based on these indicators.
Mitigation Recommendations
Given the nature of this threat as OSINT-related malware indicators without active exploits, mitigation should focus on enhancing detection and early warning capabilities rather than patching or direct remediation. Specific recommendations include: 1) Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and threat intelligence platforms to improve detection of related network activity and payload delivery attempts. 2) Conduct regular threat hunting exercises using these IOCs to identify any early signs of compromise or reconnaissance within the network. 3) Strengthen network segmentation and monitoring to limit the impact of any potential payload delivery or lateral movement attempts. 4) Educate security teams on the evolving nature of OSINT-based threats and encourage proactive monitoring of ThreatFox and similar platforms for updated intelligence. 5) Implement strict egress filtering and anomaly detection to identify unusual outbound communications that may indicate data exfiltration or command and control activity. 6) Maintain up-to-date endpoint detection and response (EDR) solutions capable of identifying suspicious payloads or behaviors associated with emerging malware threats. These measures go beyond generic advice by focusing on leveraging threat intelligence integration and proactive detection tailored to OSINT-related malware indicators.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- fbab55e4-b101-4bdf-b375-e6341544b05f
- Original Timestamp
- 1717891386
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://dcc.olcrv.com/login/tologin | More_eggs botnet C2 (confidence level: 49%) | |
urlhttps://83.97.73.39/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://97felu2ehv0r5iff3cslcamel.store/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://6zimks6know8jihvtoa8camel.store/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://3w0mi18gkfrf6l8a8d09camel.store/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://brfw0g97s9mwun8juhb0camel.store/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://re5bvyc4l6004tqmtzp4camel.store/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://k6fvq8c11dqqjd446ck9camel.store/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://7l19jlu5trkqndh24li4camel.store/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://pq2trelsquu44xbpritocamel.store/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://wlw7obu15d6ru3eqy3o8camel.store/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://hqj6lhsgcnuxfnlj5y95camel.store/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://inat-protv-box.net.tr/ytyxnjljzdi1yzfh/ | Coper botnet C2 (confidence level: 80%) | |
urlhttps://hvamkulturogforsamlingshus.dk/reports.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://hvamkulturogforsamlingshus.dk/reports.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://hvamkulturogforsamlingshus.dk/reports.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://hvamkulturogforsamlingshus.dk/reports.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://saasfeerentals.com/stamping-fee-for-sp-agreement | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://i-likeitalot.com/reports.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://ikenouedojo.com/reports.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://47.92.24.58:8001/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://64.7.199.88:10443/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://213.109.202.188/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://23.95.65.198/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://content.microsoft.com.w.kunlunca.com/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://23.95.65.198:2222/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://101.35.42.157/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://intranat.vhfk.se/reports.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://39.104.230.184:6668/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://111.231.51.250:9090/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://89.116.48.173:9999/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-o1dc3wx3-1311799005.bj.tencentapigw.com.cn/api/x | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://112.124.5.135:1234/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://106.52.130.164:8080/updates | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.239.1.232/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://4.191.74.1/dpixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.71.153.149/assets/css/font-awesome.css | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://124.71.153.115/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://61.170.80.230/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://180.213.179.141/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://120.195.185.112/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://118.182.226.161/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://61.170.81.233/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://27.37.200.237/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.226.26.147/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://185.186.146.25/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://exotours.in/read-agreement-of-being-gay-for-30-days | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://cs.xfdaili.com/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://154.198.245.62/visit.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://134.122.75.115:444/push | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://23.95.65.198/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://iheartredteams.com/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://www.platypus-verlag.ch/wisconsin-tax-installment-agreement/ | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://labstyl.nazwa.pl/reports.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://ktweb.home.pl/reports.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://bloriz.prestador-xp.services/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://blufel2.nenaviste.org/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://blulunwinim.neskodny.builders/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://blumol3.maxtel.solutions/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://bluronbonxil.cuidadofinanceiro.agency/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://bluronpal.maxtel.solutions/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://brubenbonzol183.prestador-xp.services/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://brucal.nenaviste.org/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://brudensintal.vistoriaveicular.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://brudiz.neskodny.builders/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://brudiz.vistoriaveicular.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://brumengonwel.abastecimentoonline.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://brumol164.fazenda-sps.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://brusonroncol.chamadoregional.solutions/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://brutonlanfer.maxtel.solutions/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://brutonlinjal.nenaviste.org/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://clahenkil037.fazenda-sps.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://clananbel.neskodny.builders/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://clegongor2.prestador-xp.services/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://cleriz.prestador-xp.services/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://clesonqual.vistoriaveicular.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://cracal.cuidadofinanceiro.agency/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://cracal.nenaviste.org/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://cramengonwel143.businessgreat.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crapennal24.prestador-xp.services/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crasonnal.cuidadofinanceiro.agency/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crasonqual.atende-br.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crediz.atende-br.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://cresonrol761.vistoriaveicular.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://cretonpaz.vistoriaveicular.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crical.chamadoregional.solutions/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://criel.cuidadofinanceiro.agency/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crironcindor3.vistoriaveicular.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crironnonbil3.businessgreat.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crisonlinder.neskodny.builders/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crocal3.fazenda-sps.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crofer.prestador-xp.services/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crohal.fazenda-sps.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crojal.cuidadofinanceiro.agency/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://cronanbel.vistoriaveicular.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://croringungem.vistoriaveicular.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://croronqual225.vistoriaveicular.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crosonpal.businessgreat.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crotal.maxtel.solutions/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crotunlinder.chamadoregional.solutions/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://crovaz.abastecimentoonline.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://drabel4.maxtel.solutions/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://dralundinnal.chamadoregional.solutions/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://dratunlinfil.fazenda-sps.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://dratunmintil.fazenda-sps.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://drejal.chamadoregional.solutions/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://drelunral38.maxtel.solutions/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://dresonnal4.abastecimentoonline.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://drocangoncol.businessgreat.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://drocansal.fazenda-sps.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://dromongongor.businessgreat.one/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://dromonnancal.atende-br.chat/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttps://drosonfinfel.nenaviste.org/ | Astaroth botnet C2 (confidence level: 100%) | |
urlhttp://23.88.106.134/6a9f8e2503d99c04.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttps://goodstos.com/agreement-side-effects/ | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttps://lilabrand.com/reports.php | GootLoader payload delivery URL (confidence level: 100%) | |
urlhttp://110.42.249.222:6666/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://hospitalstorage.azureedge.net/git.asp | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://34.92.25.154:8443/match | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://candycappa.store/remove | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://bad-week-gw.aws-usw2.cloud-ara.tyk.io/api/v2/login | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://58.53.128.67:82/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://20.244.96.7/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://146.70.149.42:9999/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://97.64.18.185:3333/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://118.89.200.169/activity | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://185.22.152.167:8868/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://sanhaozhifu.top:8443/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://47.92.162.69/mall_100_100.html | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://54.169.254.221/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://58.137.140.238/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://49.232.249.109:81/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://124.71.102.140/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://38.180.165.153/7providerlinux/cdngenerator/jspacketupdateprocessorserverprotecttraffictestdatalifeuploads.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://505732cm.n9shteam2.top/updatesqldb.php | DCRat botnet C2 (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file3.125.223.134 | NjRAT botnet C2 server (confidence level: 75%) | |
file154.12.93.14 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file4.203.104.98 | NjRAT botnet C2 server (confidence level: 100%) | |
file138.162.7.28 | Sliver payload delivery server (confidence level: 50%) | |
file136.144.162.236 | Sliver botnet C2 server (confidence level: 50%) | |
file92.243.64.130 | BianLian botnet C2 server (confidence level: 50%) | |
file104.238.61.20 | BianLian botnet C2 server (confidence level: 50%) | |
file93.123.39.194 | Havoc botnet C2 server (confidence level: 50%) | |
file82.168.162.65 | Havoc botnet C2 server (confidence level: 50%) | |
file39.96.169.89 | Havoc botnet C2 server (confidence level: 50%) | |
file46.246.14.21 | DCRat botnet C2 server (confidence level: 50%) | |
file16.16.206.231 | Unknown malware botnet C2 server (confidence level: 50%) | |
file43.138.143.146 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.71.153.115 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.239.1.232 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.71.153.149 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.71.153.115 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.97.79.97 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.186.146.25 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.12.26.80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file37.44.238.75 | Mirai botnet C2 server (confidence level: 75%) | |
file47.103.52.146 | N-W0rm botnet C2 server (confidence level: 100%) | |
file105.105.234.158 | NjRAT botnet C2 server (confidence level: 100%) | |
file158.160.11.208 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
file154.198.245.62 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file3.64.4.198 | NjRAT botnet C2 server (confidence level: 75%) | |
file3.125.102.39 | NjRAT botnet C2 server (confidence level: 75%) | |
file51.81.30.54 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file18.157.68.73 | NjRAT botnet C2 server (confidence level: 75%) | |
file18.156.13.209 | NjRAT botnet C2 server (confidence level: 75%) | |
file152.53.20.106 | Sliver botnet C2 server (confidence level: 50%) | |
file152.53.20.106 | Sliver botnet C2 server (confidence level: 50%) | |
file84.129.151.24 | Unknown malware botnet C2 server (confidence level: 50%) | |
file159.89.46.205 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file193.124.33.239 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file13.49.238.38 | Havoc botnet C2 server (confidence level: 50%) | |
file20.244.96.7 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file118.89.200.169 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file78.178.72.163 | QakBot botnet C2 server (confidence level: 50%) | |
file46.246.84.18 | DCRat botnet C2 server (confidence level: 50%) | |
file165.3.87.196 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.92.162.69 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file54.169.254.221 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file74.48.45.204 | Unknown malware botnet C2 server (confidence level: 50%) | |
file58.137.140.238 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file77.221.157.6 | Meduza Stealer botnet C2 server (confidence level: 50%) | |
file124.71.102.140 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.119.196.100 | Unknown malware botnet C2 server (confidence level: 50%) | |
file101.126.91.145 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file77.83.196.180 | Unidentified 111 (Latrodectus) botnet C2 server (confidence level: 75%) | |
file18.229.248.167 | LimeRAT botnet C2 server (confidence level: 100%) | |
file5.180.148.45 | CyberGate botnet C2 server (confidence level: 100%) | |
file18.231.93.153 | LimeRAT botnet C2 server (confidence level: 100%) | |
file45.137.22.111 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash12374 | NjRAT botnet C2 server (confidence level: 75%) | |
hash1153 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash1024 | NjRAT botnet C2 server (confidence level: 100%) | |
hash8000 | Sliver payload delivery server (confidence level: 50%) | |
hash8888 | Sliver botnet C2 server (confidence level: 50%) | |
hash31205 | BianLian botnet C2 server (confidence level: 50%) | |
hash80 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash9000 | DCRat botnet C2 server (confidence level: 50%) | |
hash4444 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash81 | Mirai botnet C2 server (confidence level: 75%) | |
hash443 | N-W0rm botnet C2 server (confidence level: 100%) | |
hash555 | NjRAT botnet C2 server (confidence level: 100%) | |
hash443 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash13678 | NjRAT botnet C2 server (confidence level: 75%) | |
hash17046 | NjRAT botnet C2 server (confidence level: 75%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash17435 | NjRAT botnet C2 server (confidence level: 75%) | |
hash17435 | NjRAT botnet C2 server (confidence level: 75%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash8888 | Sliver botnet C2 server (confidence level: 50%) | |
hash3389 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash9000 | DCRat botnet C2 server (confidence level: 50%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Meduza Stealer botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Unidentified 111 (Latrodectus) botnet C2 server (confidence level: 75%) | |
hash15352 | LimeRAT botnet C2 server (confidence level: 100%) | |
hash7159 | CyberGate botnet C2 server (confidence level: 100%) | |
hash15352 | LimeRAT botnet C2 server (confidence level: 100%) | |
hash55615 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainassets.rdntocdns.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domaincdn.rdntocdns.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domaincss.rdntocdns.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainrest1.rdntocdns.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainrest2.rdntocdns.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainservice-o1dc3wx3-1311799005.bj.tencentapigw.com.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainv7yen47u2e.xyz | ClearFake payload delivery domain (confidence level: 100%) | |
domainabastecimentoonline.chat | Astaroth botnet C2 domain (confidence level: 100%) | |
domainatende-br.chat | Astaroth botnet C2 domain (confidence level: 100%) | |
domainbusinessgreat.one | Astaroth botnet C2 domain (confidence level: 100%) | |
domainchamadoregional.solutions | Astaroth botnet C2 domain (confidence level: 100%) | |
domaincuidadofinanceiro.agency | Astaroth botnet C2 domain (confidence level: 100%) | |
domainfazenda-sps.one | Astaroth botnet C2 domain (confidence level: 100%) | |
domainmaxtel.solutions | Astaroth botnet C2 domain (confidence level: 100%) | |
domainnenaviste.org | Astaroth botnet C2 domain (confidence level: 100%) | |
domainneskodny.builders | Astaroth botnet C2 domain (confidence level: 100%) | |
domainprestador-xp.services | Astaroth botnet C2 domain (confidence level: 100%) | |
domainvistoriaveicular.chat | Astaroth botnet C2 domain (confidence level: 100%) | |
domaincv2b8uz46e.xyz | ClearFake payload delivery domain (confidence level: 100%) | |
domainb9y3b7ner2.xyz | ClearFake payload delivery domain (confidence level: 100%) | |
domainhospitalstorage.azureedge.net | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincandycappa.store | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainbad-week-gw.aws-usw2.cloud-ara.tyk.io | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainsanhaozhifu.top | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Threat ID: 682acdc3bbaf20d303f1fde5
Added to database: 5/19/2025, 6:20:51 AM
Last enriched: 6/18/2025, 8:20:48 AM
Last updated: 8/13/2025, 4:15:18 PM
Views: 16
Related Threats
ThreatFox IOCs for 2025-08-14
MediumOn Going Malvertising Attack Spreads New Crypto Stealing PS1Bot Malware
MediumA Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode
MediumPhantomCard: New NFC-driven Android malware emerging in Brazil
MediumThreatFox IOCs for 2025-08-13
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.