ThreatFox IOCs for 2024-12-28
ThreatFox IOCs for 2024-12-28
AI Analysis
Technical Summary
The provided threat information pertains to a malware-related entry titled "ThreatFox IOCs for 2024-12-28," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The threat is categorized under "type:osint," indicating that it is related to open-source intelligence gathering or dissemination rather than a specific software product or version. No specific affected versions or products are listed, and there are no associated Common Weakness Enumerations (CWEs) or patch links, suggesting that this entry is more of an intelligence report rather than a vulnerability tied to a particular software flaw. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, which may imply moderate threat presence and distribution. There are no known exploits in the wild, and no indicators of compromise (IOCs) are provided in the data. The severity is marked as medium, but no CVSS score is assigned. The lack of detailed technical specifics, such as malware behavior, attack vectors, or targeted systems, limits the depth of technical analysis. However, the classification as malware and the presence on ThreatFox suggest that this threat could involve malicious software potentially used for reconnaissance, data collection, or other malicious activities leveraging OSINT techniques or targeting OSINT tools or data. The TLP (Traffic Light Protocol) white tag indicates that the information is publicly shareable without restriction.
Potential Impact
Given the limited technical details, the potential impact on European organizations is primarily speculative but can be inferred based on the nature of OSINT-related malware. Such malware could be used to gather sensitive information, conduct reconnaissance, or facilitate further attacks by harvesting intelligence from open sources or compromised systems. The medium severity rating suggests a moderate risk level, potentially impacting confidentiality if sensitive data is exfiltrated. Integrity and availability impacts appear less likely given the absence of known exploits or destructive capabilities. European organizations relying heavily on OSINT tools or those involved in intelligence, defense, or critical infrastructure sectors could face increased risk if this malware targets their information-gathering processes or systems. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation or targeted campaigns. Overall, the impact is moderate, with a focus on information confidentiality and potential preparatory stages for more severe attacks.
Mitigation Recommendations
1. Enhance monitoring of network traffic and endpoint behavior for unusual patterns that could indicate OSINT-related malware activity, even in the absence of specific IOCs. 2. Implement strict access controls and segmentation for systems involved in OSINT activities to limit lateral movement and data exposure. 3. Regularly update and audit OSINT tools and related software to ensure they are not vulnerable to exploitation or misuse. 4. Conduct user awareness training focused on recognizing social engineering tactics that might be used to deploy OSINT malware. 5. Employ threat intelligence sharing platforms to stay updated on emerging IOCs and tactics related to OSINT malware. 6. Use sandboxing and behavioral analysis tools to detect and analyze suspicious files or activities related to OSINT operations. 7. Develop incident response plans specifically addressing reconnaissance and information-gathering threats to enable rapid containment and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
Indicators of Compromise
- url: http://8.222.194.183:8888/supershell/login/
- file: 8.222.194.183
- hash: 8888
- domain: api.primusext.pro
- domain: primusext.pro
- domain: api.cyberhavenext.pro
- domain: cyberhavenext.pro
- domain: iobit.pro
- domain: api.videodownloadhelper.pro
- domain: videodownloadhelper.pro
- domain: api.censortracker.pro
- domain: censortracker.pro
- domain: api.dearflip.pro
- domain: internxtvpn.pro
- domain: api.yescaptcha.pro
- domain: yescaptcha.pro
- domain: api.proxyswitchyomega.pro
- domain: api.yujaverity.info
- domain: yujaverity.info
- domain: castorus.info
- domain: api.parrottalks.info
- domain: parrottalks.info
- domain: api.bookmarkfc.info
- domain: bookmarkfc.info
- domain: api.uvoice.live
- domain: uvoice.live
- url: http://sonar.inndata.xyz
- url: http://52.140.39.118
- url: http://selaras-stage-web.inndata.xyz
- url: http://154.216.20.210
- url: http://185.196.9.228
- url: http://107.175.48.27
- url: http://185.11.61.95
- url: http://154.216.19.101
- domain: stingyerasjhru.click
- domain: klipvumisui.shop
- domain: lev-tolstoi.com
- file: 147.45.44.216
- hash: 15666
- file: 83.229.120.159
- hash: 9999
- file: 47.121.137.189
- hash: 8443
- file: 213.199.39.146
- hash: 80
- file: 213.199.39.146
- hash: 443
- file: 117.72.78.81
- hash: 8080
- file: 54.39.233.87
- hash: 2404
- file: 94.156.167.37
- hash: 2404
- file: 198.244.238.84
- hash: 8888
- file: 198.244.238.84
- hash: 8889
- file: 93.123.109.154
- hash: 6881
- file: 81.71.155.224
- hash: 8443
- file: 54.233.192.91
- hash: 1911
- file: 35.179.177.158
- hash: 7001
- file: 54.71.6.246
- hash: 22011
- file: 5.154.181.87
- hash: 80
- file: 64.71.152.199
- hash: 443
- file: 94.103.125.11
- hash: 80
- file: 94.103.125.11
- hash: 443
- file: 189.1.219.125
- hash: 9999
- file: 148.135.19.111
- hash: 443
- file: 116.62.139.38
- hash: 31337
- file: 104.193.69.142
- hash: 443
- file: 152.42.136.113
- hash: 443
- file: 149.102.147.106
- hash: 6606
- file: 102.117.167.52
- hash: 7443
- file: 185.198.234.213
- hash: 443
- file: 194.26.192.21
- hash: 8080
- domain: sofakingclean.pro
- domain: ec2-3-21-97-241.us-east-2.compute.amazonaws.com
- domain: ecs-110-41-147-219.compute.hwclouds-dns.com
- file: 8.217.72.211
- hash: 443
- file: 65.109.242.203
- hash: 443
- domain: www.hacking.grayhatbangladesh.com
- file: 103.136.150.117
- hash: 60000
- file: 101.200.120.13
- hash: 60000
- file: 5.196.234.112
- hash: 3333
- file: 89.47.50.205
- hash: 3333
- file: 54.93.180.246
- hash: 3333
- file: 3.104.95.164
- hash: 443
- file: 143.244.176.33
- hash: 3333
- file: 47.129.203.7
- hash: 443
- file: 35.81.110.202
- hash: 443
- file: 20.78.37.199
- hash: 3333
- file: 67.205.183.175
- hash: 9999
- file: 13.53.206.203
- hash: 3333
- file: 111.92.243.182
- hash: 3333
- file: 35.87.51.10
- hash: 3333
- file: 178.250.170.86
- hash: 3333
- file: 195.74.238.205
- hash: 995
- file: 88.234.26.154
- hash: 443
- file: 78.176.251.137
- hash: 443
- file: 139.198.30.159
- hash: 9999
- file: 104.251.218.253
- hash: 443
- file: 112.126.94.134
- hash: 80
- file: 156.244.19.46
- hash: 443
- file: 121.36.63.137
- hash: 8443
- file: 47.97.96.147
- hash: 82
- file: 209.141.47.117
- hash: 1999
- url: http://154.37.219.91:8888/supershell/login/
- file: 154.37.219.91
- hash: 8888
- domain: ksarcftp.com
- url: https://ksarcftp.com/updater.php
- file: 45.92.9.110
- hash: 8080
- file: 123.11.253.99
- hash: 5873
- file: 2.58.56.217
- hash: 80
- domain: 185-196-9-195.cprapid.com
- file: 195.10.205.38
- hash: 3306
- domain: ras2.shop
- url: https://ras2.shop/up
- url: https://ras2.shop/up/b
- url: https://laborersquei.click/api
- url: https://cegu.shop/api
- url: https://klipvumisui.shop/api
- domain: lumbercare.sbs
- file: 185.196.8.68
- hash: 7257
- domain: finatick.com
- url: https://lackadausaz.click/api
- file: 83.222.191.146
- hash: 35342
- url: http://47.90.135.102:443/2vcr
- file: 27.106.119.252
- hash: 443
- file: 198.181.32.32
- hash: 2080
- file: 104.243.254.103
- hash: 2404
- file: 194.59.30.53
- hash: 60782
- file: 45.82.84.41
- hash: 3389
- file: 45.82.84.41
- hash: 8080
- file: 172.235.14.61
- hash: 31337
- file: 81.19.140.237
- hash: 8080
- file: 194.26.192.165
- hash: 7707
- file: 194.26.192.165
- hash: 8808
- file: 92.255.57.75
- hash: 15747
- file: 134.209.249.56
- hash: 7443
- file: 87.120.127.237
- hash: 80
- file: 51.17.112.90
- hash: 9142
- file: 13.38.49.150
- hash: 32995
- file: 160.191.175.187
- hash: 80
- file: 98.159.236.221
- hash: 23
- url: https://parallellywko.shop/api
- url: https://tightuteop.shop/api
- domain: parallellywko.shop
- domain: tightuteop.shop
- url: https://jammywritej.click/api
- url: https://ambiwa.com/5o0e.js
- domain: ambiwa.com
- url: https://ambiwa.com/js.php
- file: 156.238.243.161
- hash: 8443
- file: 87.120.115.26
- hash: 80
- file: 118.194.249.212
- hash: 8080
- file: 78.171.102.136
- hash: 60
- file: 78.171.102.136
- hash: 888
- file: 78.171.102.136
- hash: 2003
- file: 78.171.102.136
- hash: 2004
- file: 78.171.102.136
- hash: 20000
- file: 149.102.147.106
- hash: 7707
- file: 102.117.175.201
- hash: 7443
- file: 13.38.19.250
- hash: 443
- file: 3.27.91.209
- hash: 6719
- url: https://alleybikeru.click/api
- domain: alleybikeru.click
- file: 110.42.33.174
- hash: 6666
- file: 58.181.38.161
- hash: 10798
- domain: fiveth5sb.top
- domain: sixth6sb.top
- domain: twentyth20sb.top
- domain: eighth8sb.top
- domain: oneth1sb.top
- domain: home.twentyth20ht.top
- domain: fortth14sb.top
- domain: thirtth13sb.top
- domain: nineth9sb.top
- domain: tenth10sb.top
- domain: thirtth13ht.top
- domain: twentyth20ht.top
- domain: home.fiveth5sb.top
- domain: harlemsupport.com
- url: http://219.156.96.47:41486/mozi.m
- url: http://117.199.19.169:40252/mozi.m
- url: http://048038cm.renyash.ru/pipepacketprocessgeneratordownloads.php
- file: 206.238.198.14
- hash: 9091
- file: 46.175.150.13
- hash: 443
- file: 38.6.216.144
- hash: 80
- file: 123.249.26.90
- hash: 80
- file: 165.154.98.216
- hash: 8082
- file: 80.76.51.19
- hash: 2404
- file: 61.28.233.21
- hash: 443
- file: 64.188.9.175
- hash: 3008
- domain: edge.microcoft.co
- file: 45.141.87.50
- hash: 15747
- file: 45.200.148.209
- hash: 8089
- file: 194.59.30.152
- hash: 80
- file: 194.59.30.152
- hash: 8089
- domain: cmaster-57540.portmap.io
- domain: security.cecbank.online
- file: 94.156.167.42
- hash: 5000
- file: 94.156.167.42
- hash: 4449
- file: 35.78.206.123
- hash: 35857
- file: 35.181.5.63
- hash: 28080
- file: 3.26.42.181
- hash: 47929
- file: 184.94.215.147
- hash: 53
- file: 3.127.138.57
- hash: 11048
- file: 18.157.68.73
- hash: 11048
- file: 18.197.239.5
- hash: 11048
- url: http://001031cm.nyashteam.ru/pythonprocessdefaultwordpressdatalifetempcdndownloads.php
- file: 83.222.191.146
- hash: 33211
- url: http://ce58027.tw1.ru/4fe1d043.php
- file: 106.54.31.97
- hash: 8810
- file: 8.218.163.85
- hash: 9091
ThreatFox IOCs for 2024-12-28
Description
ThreatFox IOCs for 2024-12-28
AI-Powered Analysis
Technical Analysis
The provided threat information pertains to a malware-related entry titled "ThreatFox IOCs for 2024-12-28," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The threat is categorized under "type:osint," indicating that it is related to open-source intelligence gathering or dissemination rather than a specific software product or version. No specific affected versions or products are listed, and there are no associated Common Weakness Enumerations (CWEs) or patch links, suggesting that this entry is more of an intelligence report rather than a vulnerability tied to a particular software flaw. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, which may imply moderate threat presence and distribution. There are no known exploits in the wild, and no indicators of compromise (IOCs) are provided in the data. The severity is marked as medium, but no CVSS score is assigned. The lack of detailed technical specifics, such as malware behavior, attack vectors, or targeted systems, limits the depth of technical analysis. However, the classification as malware and the presence on ThreatFox suggest that this threat could involve malicious software potentially used for reconnaissance, data collection, or other malicious activities leveraging OSINT techniques or targeting OSINT tools or data. The TLP (Traffic Light Protocol) white tag indicates that the information is publicly shareable without restriction.
Potential Impact
Given the limited technical details, the potential impact on European organizations is primarily speculative but can be inferred based on the nature of OSINT-related malware. Such malware could be used to gather sensitive information, conduct reconnaissance, or facilitate further attacks by harvesting intelligence from open sources or compromised systems. The medium severity rating suggests a moderate risk level, potentially impacting confidentiality if sensitive data is exfiltrated. Integrity and availability impacts appear less likely given the absence of known exploits or destructive capabilities. European organizations relying heavily on OSINT tools or those involved in intelligence, defense, or critical infrastructure sectors could face increased risk if this malware targets their information-gathering processes or systems. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation or targeted campaigns. Overall, the impact is moderate, with a focus on information confidentiality and potential preparatory stages for more severe attacks.
Mitigation Recommendations
1. Enhance monitoring of network traffic and endpoint behavior for unusual patterns that could indicate OSINT-related malware activity, even in the absence of specific IOCs. 2. Implement strict access controls and segmentation for systems involved in OSINT activities to limit lateral movement and data exposure. 3. Regularly update and audit OSINT tools and related software to ensure they are not vulnerable to exploitation or misuse. 4. Conduct user awareness training focused on recognizing social engineering tactics that might be used to deploy OSINT malware. 5. Employ threat intelligence sharing platforms to stay updated on emerging IOCs and tactics related to OSINT malware. 6. Use sandboxing and behavioral analysis tools to detect and analyze suspicious files or activities related to OSINT operations. 7. Develop incident response plans specifically addressing reconnaissance and information-gathering threats to enable rapid containment and remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 62550532-a7b3-47ee-9b9b-8fd7dafdd13d
- Original Timestamp
- 1735430587
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://8.222.194.183:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://sonar.inndata.xyz | Hook botnet C2 (confidence level: 100%) | |
urlhttp://52.140.39.118 | Hook botnet C2 (confidence level: 100%) | |
urlhttp://selaras-stage-web.inndata.xyz | Hook botnet C2 (confidence level: 100%) | |
urlhttp://154.216.20.210 | Hook botnet C2 (confidence level: 100%) | |
urlhttp://185.196.9.228 | Hook botnet C2 (confidence level: 100%) | |
urlhttp://107.175.48.27 | Hook botnet C2 (confidence level: 100%) | |
urlhttp://185.11.61.95 | Hook botnet C2 (confidence level: 100%) | |
urlhttp://154.216.19.101 | Hook botnet C2 (confidence level: 100%) | |
urlhttp://154.37.219.91:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://ksarcftp.com/updater.php | Satacom botnet C2 (confidence level: 100%) | |
urlhttps://ras2.shop/up | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://ras2.shop/up/b | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://laborersquei.click/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://cegu.shop/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://klipvumisui.shop/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://lackadausaz.click/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://47.90.135.102:443/2vcr | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttps://parallellywko.shop/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://tightuteop.shop/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://jammywritej.click/api | Lumma Stealer botnet C2 (confidence level: 50%) | |
urlhttps://ambiwa.com/5o0e.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://ambiwa.com/js.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://alleybikeru.click/api | Lumma Stealer botnet C2 (confidence level: 50%) | |
urlhttp://219.156.96.47:41486/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://117.199.19.169:40252/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://048038cm.renyash.ru/pipepacketprocessgeneratordownloads.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://001031cm.nyashteam.ru/pythonprocessdefaultwordpressdatalifetempcdndownloads.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://ce58027.tw1.ru/4fe1d043.php | DCRat botnet C2 (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file8.222.194.183 | Unknown malware botnet C2 server (confidence level: 100%) | |
file147.45.44.216 | Meduza Stealer botnet C2 server (confidence level: 100%) | |
file83.229.120.159 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.121.137.189 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file213.199.39.146 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file213.199.39.146 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file117.72.78.81 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file54.39.233.87 | Remcos botnet C2 server (confidence level: 100%) | |
file94.156.167.37 | Remcos botnet C2 server (confidence level: 100%) | |
file198.244.238.84 | Remcos botnet C2 server (confidence level: 100%) | |
file198.244.238.84 | Remcos botnet C2 server (confidence level: 100%) | |
file93.123.109.154 | Remcos botnet C2 server (confidence level: 100%) | |
file81.71.155.224 | Sliver botnet C2 server (confidence level: 100%) | |
file54.233.192.91 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file35.179.177.158 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file54.71.6.246 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file5.154.181.87 | Meduza Stealer botnet C2 server (confidence level: 100%) | |
file64.71.152.199 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file94.103.125.11 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file94.103.125.11 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file189.1.219.125 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file148.135.19.111 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file116.62.139.38 | Sliver botnet C2 server (confidence level: 100%) | |
file104.193.69.142 | Sliver botnet C2 server (confidence level: 100%) | |
file152.42.136.113 | Sliver botnet C2 server (confidence level: 100%) | |
file149.102.147.106 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file102.117.167.52 | Unknown malware botnet C2 server (confidence level: 100%) | |
file185.198.234.213 | Havoc botnet C2 server (confidence level: 100%) | |
file194.26.192.21 | ERMAC botnet C2 server (confidence level: 100%) | |
file8.217.72.211 | Sliver botnet C2 server (confidence level: 90%) | |
file65.109.242.203 | Vidar botnet C2 server (confidence level: 100%) | |
file103.136.150.117 | Unknown malware botnet C2 server (confidence level: 100%) | |
file101.200.120.13 | Unknown malware botnet C2 server (confidence level: 100%) | |
file5.196.234.112 | Unknown malware botnet C2 server (confidence level: 100%) | |
file89.47.50.205 | Unknown malware botnet C2 server (confidence level: 100%) | |
file54.93.180.246 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.104.95.164 | Unknown malware botnet C2 server (confidence level: 100%) | |
file143.244.176.33 | Unknown malware botnet C2 server (confidence level: 100%) | |
file47.129.203.7 | Unknown malware botnet C2 server (confidence level: 100%) | |
file35.81.110.202 | Unknown malware botnet C2 server (confidence level: 100%) | |
file20.78.37.199 | Unknown malware botnet C2 server (confidence level: 100%) | |
file67.205.183.175 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.53.206.203 | Unknown malware botnet C2 server (confidence level: 100%) | |
file111.92.243.182 | Unknown malware botnet C2 server (confidence level: 100%) | |
file35.87.51.10 | Unknown malware botnet C2 server (confidence level: 100%) | |
file178.250.170.86 | Unknown malware botnet C2 server (confidence level: 100%) | |
file195.74.238.205 | QakBot botnet C2 server (confidence level: 100%) | |
file88.234.26.154 | QakBot botnet C2 server (confidence level: 100%) | |
file78.176.251.137 | QakBot botnet C2 server (confidence level: 100%) | |
file139.198.30.159 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.251.218.253 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file112.126.94.134 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file156.244.19.46 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file121.36.63.137 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.97.96.147 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file209.141.47.117 | MooBot botnet C2 server (confidence level: 75%) | |
file154.37.219.91 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.92.9.110 | Sliver botnet C2 server (confidence level: 100%) | |
file123.11.253.99 | Unknown malware botnet C2 server (confidence level: 100%) | |
file2.58.56.217 | Hook botnet C2 server (confidence level: 100%) | |
file195.10.205.38 | Orcus RAT botnet C2 server (confidence level: 100%) | |
file185.196.8.68 | Rhadamanthys botnet C2 server (confidence level: 50%) | |
file83.222.191.146 | Bashlite botnet C2 server (confidence level: 75%) | |
file27.106.119.252 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file198.181.32.32 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.243.254.103 | Remcos botnet C2 server (confidence level: 100%) | |
file194.59.30.53 | Remcos botnet C2 server (confidence level: 100%) | |
file45.82.84.41 | Remcos botnet C2 server (confidence level: 100%) | |
file45.82.84.41 | Remcos botnet C2 server (confidence level: 100%) | |
file172.235.14.61 | Sliver botnet C2 server (confidence level: 100%) | |
file81.19.140.237 | Sliver botnet C2 server (confidence level: 100%) | |
file194.26.192.165 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file194.26.192.165 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file92.255.57.75 | SectopRAT botnet C2 server (confidence level: 100%) | |
file134.209.249.56 | Unknown malware botnet C2 server (confidence level: 100%) | |
file87.120.127.237 | Hook botnet C2 server (confidence level: 100%) | |
file51.17.112.90 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file13.38.49.150 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file160.191.175.187 | MooBot botnet C2 server (confidence level: 100%) | |
file98.159.236.221 | Bashlite botnet C2 server (confidence level: 100%) | |
file156.238.243.161 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file87.120.115.26 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file118.194.249.212 | ShadowPad botnet C2 server (confidence level: 90%) | |
file78.171.102.136 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file78.171.102.136 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file78.171.102.136 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file78.171.102.136 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file78.171.102.136 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file149.102.147.106 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file102.117.175.201 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.38.19.250 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file3.27.91.209 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file110.42.33.174 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file58.181.38.161 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file206.238.198.14 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file46.175.150.13 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file38.6.216.144 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.249.26.90 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file165.154.98.216 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file80.76.51.19 | Remcos botnet C2 server (confidence level: 100%) | |
file61.28.233.21 | Sliver botnet C2 server (confidence level: 100%) | |
file64.188.9.175 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.141.87.50 | SectopRAT botnet C2 server (confidence level: 100%) | |
file45.200.148.209 | Hook botnet C2 server (confidence level: 100%) | |
file194.59.30.152 | Hook botnet C2 server (confidence level: 100%) | |
file194.59.30.152 | Hook botnet C2 server (confidence level: 100%) | |
file94.156.167.42 | Venom RAT botnet C2 server (confidence level: 100%) | |
file94.156.167.42 | DCRat botnet C2 server (confidence level: 100%) | |
file35.78.206.123 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file35.181.5.63 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file3.26.42.181 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file184.94.215.147 | BianLian botnet C2 server (confidence level: 100%) | |
file3.127.138.57 | NjRAT botnet C2 server (confidence level: 100%) | |
file18.157.68.73 | NjRAT botnet C2 server (confidence level: 100%) | |
file18.197.239.5 | NjRAT botnet C2 server (confidence level: 100%) | |
file83.222.191.146 | Mirai botnet C2 server (confidence level: 100%) | |
file106.54.31.97 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file8.218.163.85 | ValleyRAT botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash15666 | Meduza Stealer botnet C2 server (confidence level: 100%) | |
hash9999 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash8888 | Remcos botnet C2 server (confidence level: 100%) | |
hash8889 | Remcos botnet C2 server (confidence level: 100%) | |
hash6881 | Remcos botnet C2 server (confidence level: 100%) | |
hash8443 | Sliver botnet C2 server (confidence level: 100%) | |
hash1911 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash7001 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash22011 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | Meduza Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9999 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash31337 | Sliver botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash8080 | ERMAC botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 90%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash9999 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash995 | QakBot botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 100%) | |
hash9999 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash82 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1999 | MooBot botnet C2 server (confidence level: 75%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Sliver botnet C2 server (confidence level: 100%) | |
hash5873 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash3306 | Orcus RAT botnet C2 server (confidence level: 100%) | |
hash7257 | Rhadamanthys botnet C2 server (confidence level: 50%) | |
hash35342 | Bashlite botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash60782 | Remcos botnet C2 server (confidence level: 100%) | |
hash3389 | Remcos botnet C2 server (confidence level: 100%) | |
hash8080 | Remcos botnet C2 server (confidence level: 100%) | |
hash31337 | Sliver botnet C2 server (confidence level: 100%) | |
hash8080 | Sliver botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash15747 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash9142 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash32995 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash23 | Bashlite botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | ShadowPad botnet C2 server (confidence level: 90%) | |
hash60 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash888 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2003 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2004 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash20000 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash6719 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash6666 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash10798 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash9091 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8082 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash3008 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash15747 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash5000 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash4449 | DCRat botnet C2 server (confidence level: 100%) | |
hash35857 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash28080 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash47929 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash53 | BianLian botnet C2 server (confidence level: 100%) | |
hash11048 | NjRAT botnet C2 server (confidence level: 100%) | |
hash11048 | NjRAT botnet C2 server (confidence level: 100%) | |
hash11048 | NjRAT botnet C2 server (confidence level: 100%) | |
hash33211 | Mirai botnet C2 server (confidence level: 100%) | |
hash8810 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash9091 | ValleyRAT botnet C2 server (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainapi.primusext.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domainprimusext.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domainapi.cyberhavenext.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domaincyberhavenext.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domainiobit.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domainapi.videodownloadhelper.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domainvideodownloadhelper.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domainapi.censortracker.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domaincensortracker.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domainapi.dearflip.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domaininternxtvpn.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domainapi.yescaptcha.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domainyescaptcha.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domainapi.proxyswitchyomega.pro | Unknown malware payload delivery domain (confidence level: 25%) | |
domainapi.yujaverity.info | Unknown malware payload delivery domain (confidence level: 25%) | |
domainyujaverity.info | Unknown malware payload delivery domain (confidence level: 25%) | |
domaincastorus.info | Unknown malware payload delivery domain (confidence level: 25%) | |
domainapi.parrottalks.info | Unknown malware payload delivery domain (confidence level: 25%) | |
domainparrottalks.info | Unknown malware payload delivery domain (confidence level: 25%) | |
domainapi.bookmarkfc.info | Unknown malware payload delivery domain (confidence level: 25%) | |
domainbookmarkfc.info | Unknown malware payload delivery domain (confidence level: 25%) | |
domainapi.uvoice.live | Unknown malware payload delivery domain (confidence level: 25%) | |
domainuvoice.live | Unknown malware payload delivery domain (confidence level: 25%) | |
domainstingyerasjhru.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainklipvumisui.shop | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainlev-tolstoi.com | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsofakingclean.pro | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainec2-3-21-97-241.us-east-2.compute.amazonaws.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainecs-110-41-147-219.compute.hwclouds-dns.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.hacking.grayhatbangladesh.com | BlackNET RAT botnet C2 domain (confidence level: 100%) | |
domainksarcftp.com | Satacom botnet C2 domain (confidence level: 100%) | |
domain185-196-9-195.cprapid.com | Havoc botnet C2 domain (confidence level: 100%) | |
domainras2.shop | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainlumbercare.sbs | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainfinatick.com | VenomLNK payload delivery domain (confidence level: 100%) | |
domainparallellywko.shop | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintightuteop.shop | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainambiwa.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainalleybikeru.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainfiveth5sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainsixth6sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintwentyth20sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaineighth8sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainoneth1sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.twentyth20ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainfortth14sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainthirtth13sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainnineth9sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintenth10sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainthirtth13ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintwentyth20ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.fiveth5sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainharlemsupport.com | DarkGate botnet C2 domain (confidence level: 100%) | |
domainedge.microcoft.co | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domaincmaster-57540.portmap.io | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainsecurity.cecbank.online | Havoc botnet C2 domain (confidence level: 100%) |
Threat ID: 682c7dc3e8347ec82d2e4838
Added to database: 5/20/2025, 1:04:03 PM
Last enriched: 6/19/2025, 3:32:54 PM
Last updated: 8/16/2025, 2:44:41 AM
Views: 13
Related Threats
ThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.