ThreatFox IOCs for 2025-01-29
ThreatFox IOCs for 2025-01-29
AI Analysis
Technical Summary
The provided threat intelligence pertains to a malware-related entry titled "ThreatFox IOCs for 2025-01-29," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat data. The entry is categorized under "type:osint," indicating it relates to open-source intelligence data rather than a specific software product or version. No affected software versions or specific vulnerabilities are identified, and there are no associated Common Weakness Enumerations (CWEs) or patch links. The threat level is rated as medium with a threatLevel score of 2 (on an unspecified scale), an analysis score of 1, and a distribution score of 3, suggesting moderate dissemination or reach. There are no known exploits in the wild linked to this malware at the time of publication (January 29, 2025). The absence of technical indicators or detailed malware behavior limits the ability to provide a granular technical breakdown; however, the classification as malware implies potential risks such as unauthorized access, data exfiltration, or disruption of services. The TLP (Traffic Light Protocol) designation is white, indicating the information is intended for public sharing without restriction. Overall, this entry appears to be a general release of IOCs related to malware activity rather than a report on a novel or actively exploited vulnerability or malware strain.
Potential Impact
For European organizations, the impact of this threat is currently assessed as moderate due to the medium severity rating and lack of known active exploitation. Since the threat is related to malware IOCs disseminated via open-source intelligence, it primarily serves as an early warning or detection aid rather than an immediate operational threat. Organizations that rely on threat intelligence feeds incorporating ThreatFox data can enhance their detection capabilities and potentially identify malware infections earlier. However, without specific affected products or vulnerabilities, the direct impact on confidentiality, integrity, or availability is uncertain. The malware could potentially lead to data breaches, system compromise, or service disruption if deployed successfully, but the lack of active exploitation reports suggests limited immediate risk. European entities with critical infrastructure, financial services, or government operations should remain vigilant, as malware campaigns often target such sectors. The broad distribution score indicates that the malware or its indicators may be widespread, increasing the likelihood of encountering related threats if not properly monitored.
Mitigation Recommendations
1. Integrate ThreatFox IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection of related malware activity. 2. Conduct regular threat hunting exercises using the latest IOCs to identify potential infections early. 3. Maintain up-to-date malware signatures and heuristic detection capabilities on antivirus and anti-malware platforms. 4. Implement network segmentation and strict access controls to limit lateral movement in case of infection. 5. Educate security teams on interpreting and operationalizing OSINT-based threat intelligence to avoid false positives and improve response times. 6. Establish incident response playbooks that incorporate OSINT-derived indicators to streamline investigation and containment. 7. Monitor public and private threat intelligence sharing platforms for updates or new indicators related to this malware to adapt defenses promptly. 8. Since no patches are available, focus on detection and containment rather than remediation of a specific vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Finland
Indicators of Compromise
- file: 156.229.233.168
- hash: 3708
- domain: antynewwr.biz
- domain: classifyagnru.biz
- domain: extendequeai.biz
- domain: friencontorle.biz
- domain: lieneedles.biz
- domain: miniattured.biz
- domain: muscleinitai.biz
- domain: recordeperishi.biz
- domain: spottyalle.biz
- domain: workedeatch.biz
- file: 156.243.244.27
- hash: 8080
- file: 158.23.168.192
- hash: 3000
- file: 54.255.180.238
- hash: 8080
- file: 44.201.201.174
- hash: 445
- file: 146.103.11.125
- hash: 6606
- file: 146.103.11.125
- hash: 8808
- file: 156.253.228.8
- hash: 80
- file: 195.177.95.146
- hash: 80
- file: 172.105.7.218
- hash: 443
- file: 46.246.80.9
- hash: 9000
- file: 3.77.145.228
- hash: 9600
- file: 87.120.117.107
- hash: 8080
- file: 146.19.24.68
- hash: 8080
- file: 172.96.137.32
- hash: 80
- url: http://113.117.14.47:21666/mozi.m
- file: 157.97.11.134
- hash: 80
- file: 18.158.58.205
- hash: 15938
- file: 3.67.62.142
- hash: 15938
- file: 45.145.42.103
- hash: 1912
- url: http://38.180.145.185/datalifelocalgeneratorpipe/gamebase/provider5/game2temporarylongpoll/uploadssecureproton/wpbigloadhttp4/51/external/03linuxwordpress/datalife8javascriptprocessor/videovmtopacketauthbigloadserverdbtesttemporary.php
- file: 51.38.119.232
- hash: 6606
- file: 51.38.119.232
- hash: 7707
- file: 45.40.96.159
- hash: 8808
- file: 13.53.166.6
- hash: 443
- file: 198.167.199.183
- hash: 19132
- file: 46.246.12.21
- hash: 8000
- file: 18.201.220.7
- hash: 57563
- domain: www.3elos.com
- url: http://a0994456.xsph.ru/l1nc0in.php
- file: 156.243.244.27
- hash: 80
- file: 80.78.27.51
- hash: 443
- file: 85.206.172.129
- hash: 3333
- file: 35.164.210.220
- hash: 80
- file: 52.58.214.158
- hash: 4444
- file: 34.1.162.42
- hash: 443
- file: 139.59.230.141
- hash: 3333
- file: 3.148.70.88
- hash: 8443
- file: 34.66.75.169
- hash: 10443
- file: 178.156.155.108
- hash: 443
- file: 43.216.107.102
- hash: 443
- file: 165.22.94.61
- hash: 443
- file: 54.148.125.236
- hash: 80
- file: 54.66.96.112
- hash: 443
- url: http://697548cm.nyashnyash.ru/javascriptprotectwindowstrackdownloads.php
- hash: 5c62cdf97b2caa60448619e36a5eb0b6
- hash: 0009f4b9972660eeb23ff3a9dccd8d86
- hash: eb42ef53761b118efbc75c4d70906fe4
- hash: 4bf608e852cb279e61136a895a6912a9
- hash: 1f1361a67ce4396c3b9dbc198207ef52
- hash: 79313be39679f84f4fcb151a3394b8b3
- hash: 704fb67dffe4d1dce8f22e56096893be
- domain: twizt.net
- domain: srgsougshfouaoehfagdhae.net
- domain: ouauooaoaoeeutr.io
- domain: fmnljjmaeihehge.top
- url: http://221.0.241.233:52988/mozi.m
- file: 165.22.27.228
- hash: 1337
- file: 34.38.195.43
- hash: 3333
- file: 167.172.15.223
- hash: 31337
- file: 110.43.68.179
- hash: 10001
- file: 3.143.225.161
- hash: 1599
- url: https://absetnoodi.top/api
- url: https://titlewoundyb.cyou/api
- url: https://sustainablelivingtips.biz/api
- url: https://healthyrecipesonline.biz/api
- url: https://seafoundation.claims/
- url: https://saba.royalreturns.org/
- domain: www.grupodulcemar.pe
- domain: wxhqyfpygelt.shop
- domain: subscribe.bigeznola.com
- domain: naturelovetop.top
- domain: thehealthylifesstop.top
- domain: uniquetopstop.top
- domain: wellnessretreatstop.top
- url: http://f1078098.xsph.ru/0390772f.php
- url: https://solve.rywi.org/awjsx.captcha
- domain: solve.rywi.org
- domain: patchpharos.com
- domain: emorista.org
- file: 172.86.81.9
- hash: 443
- file: 176.65.144.125
- hash: 8888
- file: 207.32.217.253
- hash: 7707
- file: 207.32.217.253
- hash: 6606
- file: 94.72.118.139
- hash: 7707
- file: 94.72.118.139
- hash: 6606
- file: 45.141.84.208
- hash: 15747
- file: 172.86.109.207
- hash: 51512
- file: 95.169.180.137
- hash: 80
- domain: solve.yiie.org
- file: 159.65.245.206
- hash: 8888
- file: 45.129.3.177
- hash: 80
- file: 74.129.117.255
- hash: 8080
- file: 8.45.176.69
- hash: 4506
- file: 185.70.104.48
- hash: 443
- file: 91.92.240.88
- hash: 2777
- file: 94.156.167.223
- hash: 80
- url: http://788464cm.shnyash.ru/_multidefaultdbwindows.php
- domain: solve.uayy.org
- domain: solve.eyuy.org
- file: 122.51.50.156
- hash: 7777
- file: 46.8.158.31
- hash: 80
- file: 149.88.74.68
- hash: 80
- domain: vps-zap984637-1.zap-srv.com
- file: 88.119.171.163
- hash: 8090
- file: 176.65.139.69
- hash: 8090
- file: 128.90.102.97
- hash: 9909
- file: 23.175.50.140
- hash: 6606
- file: 23.175.50.140
- hash: 7707
- file: 176.65.142.35
- hash: 8089
- file: 18.182.2.140
- hash: 5873
- url: https://akmcons.com/6d2k.js
- domain: akmcons.com
- url: https://akmcons.com/js.php
- url: https://pilot-agent-false-taken.trycloudflare.com/cloudfla
- file: 38.60.203.135
- hash: 18443
- url: https://piloferstaf.com/test/
- url: https://ypredoninen.com/test/
- domain: piloferstaf.com
- domain: ypredoninen.com
- file: 41.103.71.188
- hash: 999
- file: 172.93.218.10
- hash: 8808
- file: 18.197.126.91
- hash: 80
- file: 208.64.33.76
- hash: 8080
- file: 85.31.47.104
- hash: 111
- file: 89.23.96.61
- hash: 9823
- file: 87.120.127.195
- hash: 444
- file: 102.117.162.60
- hash: 7443
- file: 3.96.165.66
- hash: 11112
- file: 119.28.223.139
- hash: 4000
- url: https://patientlo.top/work/original.js
- domain: patientlo.top
- url: https://patientlo.top/work/index.php
- url: https://patientlo.top/work/upl.php
- url: https://fakenotesandclonedcards.com/folder.zip
- domain: huloar.live
- url: https://huloar.live
- file: 197.58.200.175
- hash: 1177
- domain: colyfigo55.hopto.org
- file: 217.156.66.237
- hash: 33006
- domain: b-need-for-speed.online
- url: http://b-need-for-speed.online/u3n6hcu6te3b46gc
- url: https://innerkomen.com/api
- domain: fiveww5vt.top
- domain: cm38152.tw1.ru
- domain: f1079650.xsph.ru
- domain: stematockeoff.shop
- domain: titlewoundyb.cyou
- domain: greatrabbid.biz
- domain: rollinsccred.biz
- domain: smiteattacekr.org
- url: https://smiteattacekr.org/api
- url: https://rollinsccred.biz/api
- url: https://greatrabbid.biz/api
- url: https://stematockeoff.shop/api
- domain: frtrr14pn.top
- domain: twntrr20pn.top
- domain: twntww20vt.top
- domain: fvkk5vs.top
- domain: fortkk14vs.top
- domain: thrtrr13pn.top
- domain: twntkk20vs.top
- file: 38.146.27.55
- hash: 80
- file: 62.99.53.210
- hash: 8181
- file: 31.57.166.52
- hash: 8808
- file: 128.90.102.97
- hash: 9999
- file: 36.133.19.224
- hash: 7443
- file: 173.255.204.48
- hash: 7443
- file: 217.211.13.227
- hash: 25565
- file: 217.182.77.118
- hash: 443
- file: 94.141.122.230
- hash: 443
- file: 18.144.58.41
- hash: 2404
- file: 98.82.12.229
- hash: 80
- file: 13.203.159.2
- hash: 47130
- file: 54.190.65.166
- hash: 443
- file: 62.1.222.131
- hash: 995
ThreatFox IOCs for 2025-01-29
Description
ThreatFox IOCs for 2025-01-29
AI-Powered Analysis
Technical Analysis
The provided threat intelligence pertains to a malware-related entry titled "ThreatFox IOCs for 2025-01-29," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat data. The entry is categorized under "type:osint," indicating it relates to open-source intelligence data rather than a specific software product or version. No affected software versions or specific vulnerabilities are identified, and there are no associated Common Weakness Enumerations (CWEs) or patch links. The threat level is rated as medium with a threatLevel score of 2 (on an unspecified scale), an analysis score of 1, and a distribution score of 3, suggesting moderate dissemination or reach. There are no known exploits in the wild linked to this malware at the time of publication (January 29, 2025). The absence of technical indicators or detailed malware behavior limits the ability to provide a granular technical breakdown; however, the classification as malware implies potential risks such as unauthorized access, data exfiltration, or disruption of services. The TLP (Traffic Light Protocol) designation is white, indicating the information is intended for public sharing without restriction. Overall, this entry appears to be a general release of IOCs related to malware activity rather than a report on a novel or actively exploited vulnerability or malware strain.
Potential Impact
For European organizations, the impact of this threat is currently assessed as moderate due to the medium severity rating and lack of known active exploitation. Since the threat is related to malware IOCs disseminated via open-source intelligence, it primarily serves as an early warning or detection aid rather than an immediate operational threat. Organizations that rely on threat intelligence feeds incorporating ThreatFox data can enhance their detection capabilities and potentially identify malware infections earlier. However, without specific affected products or vulnerabilities, the direct impact on confidentiality, integrity, or availability is uncertain. The malware could potentially lead to data breaches, system compromise, or service disruption if deployed successfully, but the lack of active exploitation reports suggests limited immediate risk. European entities with critical infrastructure, financial services, or government operations should remain vigilant, as malware campaigns often target such sectors. The broad distribution score indicates that the malware or its indicators may be widespread, increasing the likelihood of encountering related threats if not properly monitored.
Mitigation Recommendations
1. Integrate ThreatFox IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection of related malware activity. 2. Conduct regular threat hunting exercises using the latest IOCs to identify potential infections early. 3. Maintain up-to-date malware signatures and heuristic detection capabilities on antivirus and anti-malware platforms. 4. Implement network segmentation and strict access controls to limit lateral movement in case of infection. 5. Educate security teams on interpreting and operationalizing OSINT-based threat intelligence to avoid false positives and improve response times. 6. Establish incident response playbooks that incorporate OSINT-derived indicators to streamline investigation and containment. 7. Monitor public and private threat intelligence sharing platforms for updates or new indicators related to this malware to adapt defenses promptly. 8. Since no patches are available, focus on detection and containment rather than remediation of a specific vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- d5a6ab3a-de7a-4e4a-acf4-b4742d150213
- Original Timestamp
- 1738195388
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file156.229.233.168 | Bashlite botnet C2 server (confidence level: 75%) | |
file156.243.244.27 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file158.23.168.192 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file54.255.180.238 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file44.201.201.174 | Sliver botnet C2 server (confidence level: 100%) | |
file146.103.11.125 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file146.103.11.125 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file156.253.228.8 | Hook botnet C2 server (confidence level: 100%) | |
file195.177.95.146 | Hook botnet C2 server (confidence level: 100%) | |
file172.105.7.218 | Havoc botnet C2 server (confidence level: 100%) | |
file46.246.80.9 | DCRat botnet C2 server (confidence level: 100%) | |
file3.77.145.228 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file87.120.117.107 | MooBot botnet C2 server (confidence level: 100%) | |
file146.19.24.68 | Bashlite botnet C2 server (confidence level: 100%) | |
file172.96.137.32 | BianLian botnet C2 server (confidence level: 100%) | |
file157.97.11.134 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file18.158.58.205 | NjRAT botnet C2 server (confidence level: 75%) | |
file3.67.62.142 | NjRAT botnet C2 server (confidence level: 75%) | |
file45.145.42.103 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file51.38.119.232 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file51.38.119.232 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.40.96.159 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file13.53.166.6 | Unknown malware botnet C2 server (confidence level: 100%) | |
file198.167.199.183 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file46.246.12.21 | DCRat botnet C2 server (confidence level: 100%) | |
file18.201.220.7 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file156.243.244.27 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file80.78.27.51 | Sliver botnet C2 server (confidence level: 90%) | |
file85.206.172.129 | Unknown malware botnet C2 server (confidence level: 100%) | |
file35.164.210.220 | Unknown malware botnet C2 server (confidence level: 100%) | |
file52.58.214.158 | Unknown malware botnet C2 server (confidence level: 100%) | |
file34.1.162.42 | Unknown malware botnet C2 server (confidence level: 100%) | |
file139.59.230.141 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.148.70.88 | Unknown malware botnet C2 server (confidence level: 100%) | |
file34.66.75.169 | Unknown malware botnet C2 server (confidence level: 100%) | |
file178.156.155.108 | Unknown malware botnet C2 server (confidence level: 100%) | |
file43.216.107.102 | Unknown malware botnet C2 server (confidence level: 100%) | |
file165.22.94.61 | Unknown malware botnet C2 server (confidence level: 100%) | |
file54.148.125.236 | Unknown malware botnet C2 server (confidence level: 100%) | |
file54.66.96.112 | Unknown malware botnet C2 server (confidence level: 100%) | |
file165.22.27.228 | Unknown malware botnet C2 server (confidence level: 50%) | |
file34.38.195.43 | Unknown malware botnet C2 server (confidence level: 50%) | |
file167.172.15.223 | Sliver botnet C2 server (confidence level: 50%) | |
file110.43.68.179 | Xtreme RAT botnet C2 server (confidence level: 50%) | |
file3.143.225.161 | Unknown malware botnet C2 server (confidence level: 50%) | |
file172.86.81.9 | pupy botnet C2 server (confidence level: 100%) | |
file176.65.144.125 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file207.32.217.253 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file207.32.217.253 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file94.72.118.139 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file94.72.118.139 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.141.84.208 | SectopRAT botnet C2 server (confidence level: 100%) | |
file172.86.109.207 | Crimson RAT botnet C2 server (confidence level: 100%) | |
file95.169.180.137 | MooBot botnet C2 server (confidence level: 100%) | |
file159.65.245.206 | Sliver botnet C2 server (confidence level: 75%) | |
file45.129.3.177 | Havoc botnet C2 server (confidence level: 75%) | |
file74.129.117.255 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file8.45.176.69 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file185.70.104.48 | Meterpreter botnet C2 server (confidence level: 75%) | |
file91.92.240.88 | Nanocore RAT botnet C2 server (confidence level: 75%) | |
file94.156.167.223 | Loki Password Stealer (PWS) botnet C2 server (confidence level: 75%) | |
file122.51.50.156 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file46.8.158.31 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file149.88.74.68 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file88.119.171.163 | Remcos botnet C2 server (confidence level: 100%) | |
file176.65.139.69 | Remcos botnet C2 server (confidence level: 100%) | |
file128.90.102.97 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file23.175.50.140 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file23.175.50.140 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file176.65.142.35 | Hook botnet C2 server (confidence level: 100%) | |
file18.182.2.140 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file38.60.203.135 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file41.103.71.188 | NjRAT botnet C2 server (confidence level: 100%) | |
file172.93.218.10 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file18.197.126.91 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file208.64.33.76 | Remcos botnet C2 server (confidence level: 100%) | |
file85.31.47.104 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file89.23.96.61 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file87.120.127.195 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file102.117.162.60 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.96.165.66 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file119.28.223.139 | Unknown malware botnet C2 server (confidence level: 100%) | |
file197.58.200.175 | NjRAT botnet C2 server (confidence level: 75%) | |
file217.156.66.237 | MooBot botnet C2 server (confidence level: 75%) | |
file38.146.27.55 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file62.99.53.210 | Unknown malware botnet C2 server (confidence level: 100%) | |
file31.57.166.52 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file128.90.102.97 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file36.133.19.224 | Unknown malware botnet C2 server (confidence level: 100%) | |
file173.255.204.48 | Unknown malware botnet C2 server (confidence level: 100%) | |
file217.211.13.227 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file217.182.77.118 | Havoc botnet C2 server (confidence level: 100%) | |
file94.141.122.230 | DCRat botnet C2 server (confidence level: 100%) | |
file18.144.58.41 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file98.82.12.229 | BianLian botnet C2 server (confidence level: 100%) | |
file13.203.159.2 | NetSupportManager RAT botnet C2 server (confidence level: 75%) | |
file54.190.65.166 | Brute Ratel C4 botnet C2 server (confidence level: 75%) | |
file62.1.222.131 | QakBot botnet C2 server (confidence level: 75%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash3708 | Bashlite botnet C2 server (confidence level: 75%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash3000 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash445 | Sliver botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash9000 | DCRat botnet C2 server (confidence level: 100%) | |
hash9600 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash8080 | MooBot botnet C2 server (confidence level: 100%) | |
hash8080 | Bashlite botnet C2 server (confidence level: 100%) | |
hash80 | BianLian botnet C2 server (confidence level: 100%) | |
hash80 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash15938 | NjRAT botnet C2 server (confidence level: 75%) | |
hash15938 | NjRAT botnet C2 server (confidence level: 75%) | |
hash1912 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash19132 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash8000 | DCRat botnet C2 server (confidence level: 100%) | |
hash57563 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 90%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash4444 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash10443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash5c62cdf97b2caa60448619e36a5eb0b6 | poisonplug payload (confidence level: 50%) | |
hash0009f4b9972660eeb23ff3a9dccd8d86 | poisonplug payload (confidence level: 50%) | |
hasheb42ef53761b118efbc75c4d70906fe4 | poisonplug payload (confidence level: 50%) | |
hash4bf608e852cb279e61136a895a6912a9 | poisonplug payload (confidence level: 50%) | |
hash1f1361a67ce4396c3b9dbc198207ef52 | poisonplug payload (confidence level: 50%) | |
hash79313be39679f84f4fcb151a3394b8b3 | poisonplug payload (confidence level: 50%) | |
hash704fb67dffe4d1dce8f22e56096893be | poisonplug payload (confidence level: 50%) | |
hash1337 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash10001 | Xtreme RAT botnet C2 server (confidence level: 50%) | |
hash1599 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | pupy botnet C2 server (confidence level: 100%) | |
hash8888 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash15747 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash51512 | Crimson RAT botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash8888 | Sliver botnet C2 server (confidence level: 75%) | |
hash80 | Havoc botnet C2 server (confidence level: 75%) | |
hash8080 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash4506 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | Meterpreter botnet C2 server (confidence level: 75%) | |
hash2777 | Nanocore RAT botnet C2 server (confidence level: 75%) | |
hash80 | Loki Password Stealer (PWS) botnet C2 server (confidence level: 75%) | |
hash7777 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8090 | Remcos botnet C2 server (confidence level: 100%) | |
hash8090 | Remcos botnet C2 server (confidence level: 100%) | |
hash9909 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash5873 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash18443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash999 | NjRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Remcos botnet C2 server (confidence level: 100%) | |
hash111 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash9823 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash444 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash11112 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash4000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash1177 | NjRAT botnet C2 server (confidence level: 75%) | |
hash33006 | MooBot botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8181 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash9999 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash25565 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | DCRat botnet C2 server (confidence level: 100%) | |
hash2404 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | BianLian botnet C2 server (confidence level: 100%) | |
hash47130 | NetSupportManager RAT botnet C2 server (confidence level: 75%) | |
hash443 | Brute Ratel C4 botnet C2 server (confidence level: 75%) | |
hash995 | QakBot botnet C2 server (confidence level: 75%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainantynewwr.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainclassifyagnru.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainextendequeai.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainfriencontorle.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainlieneedles.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainminiattured.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainmuscleinitai.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainrecordeperishi.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainspottyalle.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainworkedeatch.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwww.3elos.com | MimiKatz botnet C2 domain (confidence level: 100%) | |
domaintwizt.net | Unknown Loader botnet C2 domain (confidence level: 50%) | |
domainsrgsougshfouaoehfagdhae.net | Phorpiex botnet C2 domain (confidence level: 100%) | |
domainouauooaoaoeeutr.io | Phorpiex botnet C2 domain (confidence level: 100%) | |
domainfmnljjmaeihehge.top | Vidar botnet C2 domain (confidence level: 100%) | |
domainwww.grupodulcemar.pe | Unknown malware payload delivery domain (confidence level: 50%) | |
domainwxhqyfpygelt.shop | FAKEUPDATES payload delivery domain (confidence level: 50%) | |
domainsubscribe.bigeznola.com | FAKEUPDATES payload delivery domain (confidence level: 50%) | |
domainnaturelovetop.top | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainthehealthylifesstop.top | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainuniquetopstop.top | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainwellnessretreatstop.top | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainsolve.rywi.org | ClearFake payload delivery domain (confidence level: 100%) | |
domainpatchpharos.com | Matanbuchus botnet C2 domain (confidence level: 50%) | |
domainemorista.org | Matanbuchus botnet C2 domain (confidence level: 100%) | |
domainsolve.yiie.org | ClearFake payload delivery domain (confidence level: 100%) | |
domainsolve.uayy.org | ClearFake payload delivery domain (confidence level: 100%) | |
domainsolve.eyuy.org | ClearFake payload delivery domain (confidence level: 100%) | |
domainvps-zap984637-1.zap-srv.com | Remcos botnet C2 domain (confidence level: 100%) | |
domainakmcons.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainpiloferstaf.com | Latrodectus botnet C2 domain (confidence level: 100%) | |
domainypredoninen.com | Latrodectus botnet C2 domain (confidence level: 100%) | |
domainpatientlo.top | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainhuloar.live | Vidar botnet C2 domain (confidence level: 100%) | |
domaincolyfigo55.hopto.org | NjRAT botnet C2 domain (confidence level: 75%) | |
domainb-need-for-speed.online | TrickMo botnet C2 domain (confidence level: 100%) | |
domainfiveww5vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaincm38152.tw1.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domainf1079650.xsph.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domainstematockeoff.shop | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintitlewoundyb.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaingreatrabbid.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainrollinsccred.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsmiteattacekr.org | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainfrtrr14pn.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintwntrr20pn.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintwntww20vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainfvkk5vs.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainfortkk14vs.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainthrtrr13pn.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintwntkk20vs.top | CryptBot botnet C2 domain (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://113.117.14.47:21666/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://38.180.145.185/datalifelocalgeneratorpipe/gamebase/provider5/game2temporarylongpoll/uploadssecureproton/wpbigloadhttp4/51/external/03linuxwordpress/datalife8javascriptprocessor/videovmtopacketauthbigloadserverdbtesttemporary.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://a0994456.xsph.ru/l1nc0in.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://697548cm.nyashnyash.ru/javascriptprotectwindowstrackdownloads.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://221.0.241.233:52988/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttps://absetnoodi.top/api | Lumma Stealer botnet C2 (confidence level: 50%) | |
urlhttps://titlewoundyb.cyou/api | Lumma Stealer botnet C2 (confidence level: 50%) | |
urlhttps://sustainablelivingtips.biz/api | Lumma Stealer botnet C2 (confidence level: 50%) | |
urlhttps://healthyrecipesonline.biz/api | Lumma Stealer botnet C2 (confidence level: 50%) | |
urlhttps://seafoundation.claims/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://saba.royalreturns.org/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttp://f1078098.xsph.ru/0390772f.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://solve.rywi.org/awjsx.captcha | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttp://788464cm.shnyash.ru/_multidefaultdbwindows.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://akmcons.com/6d2k.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://akmcons.com/js.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://pilot-agent-false-taken.trycloudflare.com/cloudfla | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://piloferstaf.com/test/ | Latrodectus botnet C2 (confidence level: 100%) | |
urlhttps://ypredoninen.com/test/ | Latrodectus botnet C2 (confidence level: 100%) | |
urlhttps://patientlo.top/work/original.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://patientlo.top/work/index.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://patientlo.top/work/upl.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://fakenotesandclonedcards.com/folder.zip | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://huloar.live | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://b-need-for-speed.online/u3n6hcu6te3b46gc | TrickMo botnet C2 (confidence level: 100%) | |
urlhttps://innerkomen.com/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://smiteattacekr.org/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://rollinsccred.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://greatrabbid.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://stematockeoff.shop/api | Lumma Stealer botnet C2 (confidence level: 100%) |
Threat ID: 682c7dc1e8347ec82d2d90cc
Added to database: 5/20/2025, 1:04:01 PM
Last enriched: 6/19/2025, 4:04:54 PM
Last updated: 8/10/2025, 2:55:02 AM
Views: 11
Related Threats
ThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.