ThreatFox IOCs for 2025-01-01
ThreatFox IOCs for 2025-01-01
AI Analysis
Technical Summary
The provided information pertains to a set of Indicators of Compromise (IOCs) published on 2025-01-01 by the ThreatFox MISP Feed, categorized under malware-related threat intelligence. The threat is classified primarily as OSINT (Open Source Intelligence) related, involving network activity and payload delivery. However, the details are sparse: there are no specific affected product versions, no known exploits in the wild, no patches available, and no concrete technical details beyond a low threat level (2 out of an unspecified scale), minimal analysis (1), and moderate distribution (3). The absence of CWEs (Common Weakness Enumerations) and indicators suggests this is a general intelligence update rather than a detailed vulnerability or active exploit. The threat appears to be informational, focusing on network activity patterns and payload delivery mechanisms, but without concrete evidence of active exploitation or direct impact. The medium severity tag likely reflects the potential for future exploitation or the presence of suspicious activity rather than an immediate critical risk. Overall, this appears to be a preparatory or monitoring stage threat intelligence update rather than a direct, active malware campaign or vulnerability exploitation.
Potential Impact
For European organizations, the impact of this threat as currently described is limited due to the lack of specific exploit details or active attacks. The medium severity suggests a moderate risk level, potentially indicating that the threat actors might be preparing payload delivery mechanisms or network-based attacks that could evolve. If these IOCs relate to malware delivery or network intrusion attempts, organizations could face risks including unauthorized access, data exfiltration, or disruption of services if the threat matures. However, without known exploits in the wild or specific affected software versions, the immediate operational impact is low. European entities with extensive network infrastructure and those relying on OSINT tools or open-source intelligence platforms might need to monitor for suspicious network activity and payload delivery attempts. The lack of patches or fixes implies that mitigation will rely on detection and network defense rather than software updates.
Mitigation Recommendations
Given the nature of this threat intelligence update, European organizations should focus on enhancing their detection and monitoring capabilities. Specific recommendations include: 1) Integrate the latest ThreatFox IOCs into existing Security Information and Event Management (SIEM) systems and Intrusion Detection/Prevention Systems (IDS/IPS) to improve detection of suspicious network activity and payload delivery attempts. 2) Conduct network traffic analysis to identify anomalous patterns consistent with the described threat level and distribution. 3) Employ threat hunting exercises focused on the identified TLP:white tagged indicators, even if none are currently provided, to proactively identify potential compromises. 4) Maintain strict network segmentation and enforce least privilege access to limit potential lateral movement if payload delivery occurs. 5) Ensure endpoint protection platforms are updated and configured to detect and block known malware behaviors associated with payload delivery. 6) Educate security teams on the evolving nature of OSINT-related threats to improve response readiness. Since no patches are available, reliance on detection, network hygiene, and incident response preparedness is critical.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy
Indicators of Compromise
- file: 208.115.220.58
- hash: 4449
- url: http://jholo.duckdns.org:8181/upload.php
- domain: raw.cloudboats.vip
- url: http://124.70.193.76:8888/supershell/login/
- url: http://113.44.78.183:8888/supershell/login/
- url: http://47.120.37.153:8888/supershell/login/
- domain: s4.serv00.com
- file: 5.39.43.50
- hash: 5234
- file: 45.137.201.181
- hash: 511
- file: 154.37.215.204
- hash: 443
- file: 107.151.240.142
- hash: 5555
- file: 154.37.215.204
- hash: 8888
- domain: vmi2323701.contaboserver.net
- file: 209.38.217.87
- hash: 443
- domain: cpcalendars.pd.194-59-30-152.cprapid.com
- file: 210.89.45.122
- hash: 7443
- url: http://221.14.60.132:53880/mozi.m
- file: 134.175.121.153
- hash: 5045
- url: http://185.239.51.56/externalvmpacketlongpollsqldbfloweruniversalcentral.php
- url: http://891781cm.renyash.ru/processorserverdefaultsqltrafficuniversalwpprivate.php
- url: http://23.94.247.46/pages/login.php
- file: 34.208.255.157
- hash: 1443
- file: 1.94.19.136
- hash: 65533
- file: 46.246.84.7
- hash: 2404
- file: 1.14.104.62
- hash: 8888
- file: 88.201.69.136
- hash: 443
- file: 198.23.227.175
- hash: 7710
- domain: avina.cloud
- file: 86.124.168.255
- hash: 443
- file: 185.243.114.91
- hash: 80
- file: 209.151.153.81
- hash: 8080
- file: 193.31.28.181
- hash: 4004
- domain: ecs-110-41-4-69.compute.hwclouds-dns.com
- domain: ocqztwhhfipaggkyloea.infinitum.space
- file: 101.201.54.74
- hash: 2222
- file: 38.242.146.249
- hash: 90
- file: 94.158.245.27
- hash: 80
- file: 124.221.38.163
- hash: 60000
- file: 20.52.4.154
- hash: 3331
- file: 18.144.21.154
- hash: 587
- file: 94.154.33.140
- hash: 3333
- file: 89.250.65.37
- hash: 3333
- file: 31.7.35.14
- hash: 443
- file: 191.101.241.240
- hash: 3333
- file: 154.53.39.85
- hash: 3333
- file: 88.99.170.132
- hash: 1920
- file: 18.135.30.45
- hash: 4204
- file: 45.76.176.78
- hash: 443
- file: 206.72.197.102
- hash: 30486
- file: 117.72.92.74
- hash: 5555
- file: 110.41.4.69
- hash: 8081
- file: 146.190.91.121
- hash: 46901
- domain: ip66-179-240-177.pbiaas.com
- file: 134.175.248.97
- hash: 80
- file: 150.158.89.168
- hash: 55443
- file: 49.232.133.108
- hash: 50050
- file: 8.147.234.137
- hash: 8999
- domain: www.103-152-255-69.cprapid.com
- file: 34.132.16.207
- hash: 7443
- file: 186.32.225.34
- hash: 8080
- file: 45.141.26.234
- hash: 443
- url: http://recessfriction.sbs/lod.php
- url: http://recessfriction.sbs/dol.php
- url: http://dogdecision.cfd/bar.php
- url: http://487997cm.renyash.top/videoflowergeneratortestpublic.php
- file: 185.222.57.76
- hash: 55615
- file: 147.185.221.24
- hash: 47517
- file: 150.158.121.15
- hash: 62000
- file: 43.134.58.195
- hash: 8080
- file: 46.246.86.16
- hash: 2404
- file: 101.99.75.173
- hash: 80
- file: 91.107.146.68
- hash: 8089
- file: 91.107.146.68
- hash: 80
- file: 91.107.146.68
- hash: 8082
- file: 188.79.46.203
- hash: 443
- file: 195.133.51.144
- hash: 80
- file: 142.93.234.59
- hash: 443
- url: https://awake-weaves.cyou/api
- url: https://brendon-sharjen.biz/api
- url: https://covery-mover.biz/api
- url: https://dare-curbys.biz/api
- url: https://dwell-exclaim.biz/api
- url: https://fadehairucw.store/api
- url: https://formy-spill.biz/api
- url: https://impend-differ.biz/api
- url: https://ingreem-eilish.biz/api
- url: https://outlookyn.cyou/api
- url: https://presticitpo.store/api
- url: https://print-vexer.biz/api
- url: https://scriptyprefej.store/api
- url: https://se-blurry.biz/api
- url: https://sordid-snaked.cyou/api
- url: https://thumbystriw.store/api
- url: https://wisdom-echoes.shop/api
- url: https://wrathful-jammy.cyou/api
- url: https://zinc-sneark.biz/api
- domain: awake-weaves.cyou
- domain: brendon-sharjen.biz
- domain: covery-mover.biz
- domain: dare-curbys.biz
- domain: dwell-exclaim.biz
- domain: formy-spill.biz
- domain: impend-differ.biz
- domain: ingreem-eilish.biz
- domain: outlookyn.cyou
- domain: print-vexer.biz
- domain: se-blurry.biz
- domain: sordid-snaked.cyou
- domain: wisdom-echoes.shop
- domain: wrathful-jammy.cyou
- domain: zinc-sneark.biz
- url: http://94.103.84.173/pages/login.php
- file: 45.93.20.67
- hash: 80
- url: http://101349cm.renyash.ru/videovmgamedefaulttestuniversalwp.php
- file: 147.45.44.42
- hash: 1488
- file: 147.45.44.42
- hash: 2001
- file: 154.216.19.63
- hash: 7290
- file: 154.216.19.63
- hash: 443
- file: 63.32.99.39
- hash: 32764
- file: 157.20.182.8
- hash: 1337
- file: 198.23.227.140
- hash: 8181
- file: 154.91.34.250
- hash: 14555
- file: 23.94.37.42
- hash: 2601
- file: 154.39.239.95
- hash: 1445
- file: 3.22.61.147
- hash: 80
- file: 192.121.163.53
- hash: 31337
- file: 5.253.59.167
- hash: 443
- file: 5.175.237.184
- hash: 443
- file: 45.147.26.131
- hash: 8888
- file: 20.93.23.234
- hash: 7443
- file: 165.232.65.107
- hash: 7443
- file: 185.177.239.131
- hash: 8082
- file: 13.231.139.33
- hash: 9301
- file: 173.199.70.18
- hash: 7443
- domain: usps-mydeliver.com
- file: 23.94.247.46
- hash: 80
- file: 14.241.100.39
- hash: 8080
- file: 154.216.17.241
- hash: 443
- url: http://42.231.223.147:60259/mozi.m
- file: 83.136.208.202
- hash: 4057
- file: 170.205.31.90
- hash: 3333
- file: 69.166.230.200
- hash: 6606
- file: 187.209.210.95
- hash: 4782
- domain: usps-mypackage.com
- domain: chatapi.edureel.ai
- url: http://126987cm.renyash.ru/vmpipejavascript_httpauthlongpollmultiwordpressdle.php
- file: 207.32.218.35
- hash: 7707
ThreatFox IOCs for 2025-01-01
Description
ThreatFox IOCs for 2025-01-01
AI-Powered Analysis
Technical Analysis
The provided information pertains to a set of Indicators of Compromise (IOCs) published on 2025-01-01 by the ThreatFox MISP Feed, categorized under malware-related threat intelligence. The threat is classified primarily as OSINT (Open Source Intelligence) related, involving network activity and payload delivery. However, the details are sparse: there are no specific affected product versions, no known exploits in the wild, no patches available, and no concrete technical details beyond a low threat level (2 out of an unspecified scale), minimal analysis (1), and moderate distribution (3). The absence of CWEs (Common Weakness Enumerations) and indicators suggests this is a general intelligence update rather than a detailed vulnerability or active exploit. The threat appears to be informational, focusing on network activity patterns and payload delivery mechanisms, but without concrete evidence of active exploitation or direct impact. The medium severity tag likely reflects the potential for future exploitation or the presence of suspicious activity rather than an immediate critical risk. Overall, this appears to be a preparatory or monitoring stage threat intelligence update rather than a direct, active malware campaign or vulnerability exploitation.
Potential Impact
For European organizations, the impact of this threat as currently described is limited due to the lack of specific exploit details or active attacks. The medium severity suggests a moderate risk level, potentially indicating that the threat actors might be preparing payload delivery mechanisms or network-based attacks that could evolve. If these IOCs relate to malware delivery or network intrusion attempts, organizations could face risks including unauthorized access, data exfiltration, or disruption of services if the threat matures. However, without known exploits in the wild or specific affected software versions, the immediate operational impact is low. European entities with extensive network infrastructure and those relying on OSINT tools or open-source intelligence platforms might need to monitor for suspicious network activity and payload delivery attempts. The lack of patches or fixes implies that mitigation will rely on detection and network defense rather than software updates.
Mitigation Recommendations
Given the nature of this threat intelligence update, European organizations should focus on enhancing their detection and monitoring capabilities. Specific recommendations include: 1) Integrate the latest ThreatFox IOCs into existing Security Information and Event Management (SIEM) systems and Intrusion Detection/Prevention Systems (IDS/IPS) to improve detection of suspicious network activity and payload delivery attempts. 2) Conduct network traffic analysis to identify anomalous patterns consistent with the described threat level and distribution. 3) Employ threat hunting exercises focused on the identified TLP:white tagged indicators, even if none are currently provided, to proactively identify potential compromises. 4) Maintain strict network segmentation and enforce least privilege access to limit potential lateral movement if payload delivery occurs. 5) Ensure endpoint protection platforms are updated and configured to detect and block known malware behaviors associated with payload delivery. 6) Educate security teams on the evolving nature of OSINT-related threats to improve response readiness. Since no patches are available, reliance on detection, network hygiene, and incident response preparedness is critical.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- ed5fff99-4c23-4da4-813b-320c1bf4eb97
- Original Timestamp
- 1735776186
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file208.115.220.58 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file5.39.43.50 | NjRAT botnet C2 server (confidence level: 75%) | |
file45.137.201.181 | NjRAT botnet C2 server (confidence level: 75%) | |
file154.37.215.204 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file107.151.240.142 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.37.215.204 | Unknown malware botnet C2 server (confidence level: 100%) | |
file209.38.217.87 | Unknown malware botnet C2 server (confidence level: 100%) | |
file210.89.45.122 | Unknown malware botnet C2 server (confidence level: 100%) | |
file134.175.121.153 | Meterpreter botnet C2 server (confidence level: 100%) | |
file34.208.255.157 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.94.19.136 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file46.246.84.7 | Remcos botnet C2 server (confidence level: 100%) | |
file1.14.104.62 | Unknown malware botnet C2 server (confidence level: 100%) | |
file88.201.69.136 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file198.23.227.175 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file86.124.168.255 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
file185.243.114.91 | Meduza Stealer botnet C2 server (confidence level: 100%) | |
file209.151.153.81 | MimiKatz botnet C2 server (confidence level: 100%) | |
file193.31.28.181 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file101.201.54.74 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file38.242.146.249 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file94.158.245.27 | MooBot botnet C2 server (confidence level: 100%) | |
file124.221.38.163 | Unknown malware botnet C2 server (confidence level: 100%) | |
file20.52.4.154 | Unknown malware botnet C2 server (confidence level: 100%) | |
file18.144.21.154 | Unknown malware botnet C2 server (confidence level: 100%) | |
file94.154.33.140 | Unknown malware botnet C2 server (confidence level: 100%) | |
file89.250.65.37 | Unknown malware botnet C2 server (confidence level: 100%) | |
file31.7.35.14 | Unknown malware botnet C2 server (confidence level: 100%) | |
file191.101.241.240 | Unknown malware botnet C2 server (confidence level: 100%) | |
file154.53.39.85 | Unknown malware botnet C2 server (confidence level: 100%) | |
file88.99.170.132 | Unknown malware botnet C2 server (confidence level: 100%) | |
file18.135.30.45 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.76.176.78 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file206.72.197.102 | Remcos botnet C2 server (confidence level: 100%) | |
file117.72.92.74 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file110.41.4.69 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file146.190.91.121 | Unknown malware botnet C2 server (confidence level: 100%) | |
file134.175.248.97 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file150.158.89.168 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file49.232.133.108 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.147.234.137 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file34.132.16.207 | Unknown malware botnet C2 server (confidence level: 100%) | |
file186.32.225.34 | MimiKatz botnet C2 server (confidence level: 100%) | |
file45.141.26.234 | XWorm botnet C2 server (confidence level: 100%) | |
file185.222.57.76 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file147.185.221.24 | XenoRAT botnet C2 server (confidence level: 100%) | |
file150.158.121.15 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.134.58.195 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file46.246.86.16 | Remcos botnet C2 server (confidence level: 100%) | |
file101.99.75.173 | Remcos botnet C2 server (confidence level: 100%) | |
file91.107.146.68 | Hook botnet C2 server (confidence level: 100%) | |
file91.107.146.68 | Hook botnet C2 server (confidence level: 100%) | |
file91.107.146.68 | Hook botnet C2 server (confidence level: 100%) | |
file188.79.46.203 | Havoc botnet C2 server (confidence level: 100%) | |
file195.133.51.144 | Havoc botnet C2 server (confidence level: 100%) | |
file142.93.234.59 | BianLian botnet C2 server (confidence level: 100%) | |
file45.93.20.67 | Meduza Stealer payload delivery server (confidence level: 100%) | |
file147.45.44.42 | Rhadamanthys botnet C2 server (confidence level: 50%) | |
file147.45.44.42 | Rhadamanthys botnet C2 server (confidence level: 50%) | |
file154.216.19.63 | Rhadamanthys botnet C2 server (confidence level: 50%) | |
file154.216.19.63 | Rhadamanthys botnet C2 server (confidence level: 50%) | |
file63.32.99.39 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
file157.20.182.8 | AsyncRAT botnet C2 server (confidence level: 50%) | |
file198.23.227.140 | AsyncRAT botnet C2 server (confidence level: 50%) | |
file154.91.34.250 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file23.94.37.42 | Mirai botnet C2 server (confidence level: 75%) | |
file154.39.239.95 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file3.22.61.147 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file192.121.163.53 | Sliver botnet C2 server (confidence level: 100%) | |
file5.253.59.167 | Sliver botnet C2 server (confidence level: 100%) | |
file5.175.237.184 | Sliver botnet C2 server (confidence level: 100%) | |
file45.147.26.131 | Unknown malware botnet C2 server (confidence level: 100%) | |
file20.93.23.234 | Unknown malware botnet C2 server (confidence level: 100%) | |
file165.232.65.107 | Unknown malware botnet C2 server (confidence level: 100%) | |
file185.177.239.131 | Hook botnet C2 server (confidence level: 100%) | |
file13.231.139.33 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file173.199.70.18 | Unknown malware botnet C2 server (confidence level: 100%) | |
file23.94.247.46 | Unknown malware botnet C2 server (confidence level: 100%) | |
file14.241.100.39 | Chaos botnet C2 server (confidence level: 100%) | |
file154.216.17.241 | BianLian botnet C2 server (confidence level: 100%) | |
file83.136.208.202 | Remcos botnet C2 server (confidence level: 100%) | |
file170.205.31.90 | Remcos botnet C2 server (confidence level: 100%) | |
file69.166.230.200 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file187.209.210.95 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file207.32.218.35 | AsyncRAT botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash4449 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash5234 | NjRAT botnet C2 server (confidence level: 75%) | |
hash511 | NjRAT botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash5555 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash5045 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash1443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash65533 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7710 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
hash80 | Meduza Stealer botnet C2 server (confidence level: 100%) | |
hash8080 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash4004 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash2222 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash90 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3331 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash587 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash1920 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash4204 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash30486 | Remcos botnet C2 server (confidence level: 100%) | |
hash5555 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8081 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash46901 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash55443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8999 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash443 | XWorm botnet C2 server (confidence level: 100%) | |
hash55615 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash47517 | XenoRAT botnet C2 server (confidence level: 100%) | |
hash62000 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash80 | Remcos botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash8082 | Hook botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash80 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | BianLian botnet C2 server (confidence level: 100%) | |
hash80 | Meduza Stealer payload delivery server (confidence level: 100%) | |
hash1488 | Rhadamanthys botnet C2 server (confidence level: 50%) | |
hash2001 | Rhadamanthys botnet C2 server (confidence level: 50%) | |
hash7290 | Rhadamanthys botnet C2 server (confidence level: 50%) | |
hash443 | Rhadamanthys botnet C2 server (confidence level: 50%) | |
hash32764 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
hash1337 | AsyncRAT botnet C2 server (confidence level: 50%) | |
hash8181 | AsyncRAT botnet C2 server (confidence level: 50%) | |
hash14555 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash2601 | Mirai botnet C2 server (confidence level: 75%) | |
hash1445 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash31337 | Sliver botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8082 | Hook botnet C2 server (confidence level: 100%) | |
hash9301 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Chaos botnet C2 server (confidence level: 100%) | |
hash443 | BianLian botnet C2 server (confidence level: 100%) | |
hash4057 | Remcos botnet C2 server (confidence level: 100%) | |
hash3333 | Remcos botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://jholo.duckdns.org:8181/upload.php | DarkVision RAT botnet C2 (confidence level: 100%) | |
urlhttp://124.70.193.76:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://113.44.78.183:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://47.120.37.153:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://221.14.60.132:53880/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://185.239.51.56/externalvmpacketlongpollsqldbfloweruniversalcentral.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://891781cm.renyash.ru/processorserverdefaultsqltrafficuniversalwpprivate.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://23.94.247.46/pages/login.php | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://recessfriction.sbs/lod.php | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://recessfriction.sbs/dol.php | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://dogdecision.cfd/bar.php | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://487997cm.renyash.top/videoflowergeneratortestpublic.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://awake-weaves.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://brendon-sharjen.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://covery-mover.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://dare-curbys.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://dwell-exclaim.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://fadehairucw.store/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://formy-spill.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://impend-differ.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://ingreem-eilish.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://outlookyn.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://presticitpo.store/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://print-vexer.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://scriptyprefej.store/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://se-blurry.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://sordid-snaked.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://thumbystriw.store/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://wisdom-echoes.shop/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://wrathful-jammy.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://zinc-sneark.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://94.103.84.173/pages/login.php | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://101349cm.renyash.ru/videovmgamedefaulttestuniversalwp.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://42.231.223.147:60259/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://126987cm.renyash.ru/vmpipejavascript_httpauthlongpollmultiwordpressdle.php | DCRat botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainraw.cloudboats.vip | Mirai botnet C2 domain (confidence level: 75%) | |
domains4.serv00.com | Agent Tesla botnet C2 domain (confidence level: 50%) | |
domainvmi2323701.contaboserver.net | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domaincpcalendars.pd.194-59-30-152.cprapid.com | Hook botnet C2 domain (confidence level: 100%) | |
domainavina.cloud | Havoc botnet C2 domain (confidence level: 100%) | |
domainecs-110-41-4-69.compute.hwclouds-dns.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainocqztwhhfipaggkyloea.infinitum.space | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainip66-179-240-177.pbiaas.com | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainwww.103-152-255-69.cprapid.com | Havoc botnet C2 domain (confidence level: 100%) | |
domainawake-weaves.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainbrendon-sharjen.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaincovery-mover.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindare-curbys.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindwell-exclaim.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainformy-spill.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainimpend-differ.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainingreem-eilish.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainoutlookyn.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainprint-vexer.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainse-blurry.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsordid-snaked.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwisdom-echoes.shop | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwrathful-jammy.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainzinc-sneark.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainusps-mydeliver.com | Meduza Stealer botnet C2 domain (confidence level: 100%) | |
domainusps-mypackage.com | Meduza Stealer botnet C2 domain (confidence level: 100%) | |
domainchatapi.edureel.ai | Unknown malware botnet C2 domain (confidence level: 100%) |
Threat ID: 68367c99182aa0cae2321cec
Added to database: 5/28/2025, 3:01:45 AM
Last enriched: 6/27/2025, 10:50:26 AM
Last updated: 7/28/2025, 11:18:39 PM
Views: 13
Related Threats
A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode
MediumPhantomCard: New NFC-driven Android malware emerging in Brazil
MediumThreatFox IOCs for 2025-08-13
MediumEfimer Trojan Steals Crypto, Hacks WordPress Sites via Torrents and Phishing
MediumSilent Watcher: Dissecting Cmimai Stealer's VBS Payload
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.