ThreatFox IOCs for 2025-03-25
Severity: mediumType: unknown
ThreatFox IOCs for 2025-03-25
AI Analysis
Technical Summary
The provided information pertains to a set of Indicators of Compromise (IOCs) published on 2025-03-25 by ThreatFox, sourced from MISP (Malware Information Sharing Platform). The entry is labeled as 'unknown' type with no specific affected software versions, no associated Common Weakness Enumerations (CWEs), and no known exploits in the wild. The threat level is indicated as low to medium (threatLevel: 2), with minimal analysis (analysis: 1) and moderate distribution (distribution: 3). The absence of technical details, affected products, or concrete attack vectors limits the ability to precisely characterize the threat. The IOCs are tagged as OSINT (Open Source Intelligence) and TLP:WHITE, indicating they are intended for broad sharing without restrictions. Since no concrete indicators or exploit details are provided, this entry appears to be a placeholder or a preliminary report of potential threat intelligence rather than a confirmed or active security threat. The medium severity rating likely reflects caution due to the unknown nature and potential for future development rather than current active exploitation.
Potential Impact
Given the lack of specific technical details, affected systems, or known exploits, the immediate impact on European organizations is difficult to quantify. However, the publication of IOCs suggests that there may be emerging or suspected malicious activity that could target various systems in the future. European organizations that rely on threat intelligence feeds and proactive defense mechanisms may benefit from monitoring these IOCs to detect early signs of compromise. Without concrete exploit information, the risk to confidentiality, integrity, and availability remains theoretical at this stage. Nonetheless, organizations should remain vigilant as unknown threats can evolve rapidly, potentially impacting critical infrastructure, government entities, or private sector companies if the threat materializes.
Mitigation Recommendations
1. Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and endpoint detection tools to enable early detection of suspicious activity. 2. Maintain up-to-date threat intelligence feeds and subscribe to trusted sources like MISP to receive timely updates on evolving threats. 3. Conduct regular network and endpoint monitoring focusing on anomalous behaviors that could correlate with emerging IOCs. 4. Implement robust incident response procedures to quickly investigate and contain any alerts triggered by these or related IOCs. 5. Engage in information sharing with industry peers and national cybersecurity centers to enhance collective situational awareness. 6. Since no patches or specific vulnerabilities are identified, prioritize general cybersecurity hygiene including timely patching of known vulnerabilities, strong access controls, and user awareness training to reduce attack surface.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
Indicators of Compromise
- domain: progressiveptgreenvalley.com
- ip-dst|port: 43.160.193.143|443
- ip-dst|port: 128.90.113.194|2000
- ip-dst|port: 209.38.142.255|80
- domain: www.amanmail.info
- domain: www.mkdirjava.com
- ip-dst|port: 113.45.132.242|60000
- ip-dst|port: 213.199.57.185|3333
- ip-dst|port: 152.203.30.145|8080
- ip-dst|port: 47.94.7.163|10001
- domain: electrumdoge.com
- domain: electrum-avax.com
- domain: electrum-ravencoin.com
- domain: electrum-xmr.net
- ip-dst|port: 144.208.127.241|1313
- ip-dst|port: 31.58.169.119|8808
- ip-dst|port: 51.38.215.206|7443
- domain: cpcontacts.aaa.104-168-101-27.cprapid.com
- domain: cpanel.a.multi-canale.com
- domain: mail.b.ora-0-web.com
- domain: webdisk.aaa.104-168-101-27.cprapid.com
- domain: cpanel.ora-0-web.com
- ip-dst|port: 103.215.78.176|53
- domain: svchost.iqiyid.icu
- ip-dst|port: 14.128.50.21|8080
- ip-dst|port: 67.159.18.50|1995
- ip-dst|port: 169.150.202.83|5552
- domain: ksmj.ddns.net
- ip-dst|port: 121.36.215.212|80
- ip-dst|port: 106.75.245.80|8443
- ip-dst|port: 104.250.169.98|2404
- ip-dst|port: 38.146.27.151|443
- ip-dst|port: 45.130.151.163|443
- ip-dst|port: 23.94.126.113|8808
- ip-dst|port: 196.251.70.104|6606
- ip-dst|port: 91.211.248.206|80
- ip-dst|port: 197.133.22.251|8081
- ip-dst|port: 157.20.182.77|4449
- ip-dst|port: 102.96.189.137|443
- ip-dst|port: 35.86.98.1|27017
- ip-dst|port: 167.71.234.19|80
- ip-dst|port: 159.65.224.196|80
- ip-dst|port: 117.72.119.63|7088
- ip-dst|port: 8.213.228.20|4443
- ip-dst|port: 179.43.152.178|8825
- ip-dst|port: 43.138.81.38|60000
- ip-dst|port: 47.238.47.190|60000
- ip-dst|port: 185.247.224.66|3333
- domain: hacknestm.run
- domain: galaxiay.world
- domain: trobudrunksz.click
- ip-dst|port: 113.45.140.119|7777
- ip-dst|port: 47.120.46.195|8080
- ip-dst|port: 103.149.182.77|2345
- ip-dst|port: 104.42.26.200|443
- ip-dst|port: 67.219.99.34|443
- ip-dst|port: 64.94.84.10|50050
- ip-dst|port: 69.57.161.93|31337
- ip-dst|port: 162.19.228.213|31337
- ip-dst|port: 62.146.169.174|31337
- ip-dst|port: 183.134.55.166|10001
- ip-dst|port: 170.130.200.118|10001
- ip-dst|port: 118.122.8.155|7775
- ip-dst|port: 18.224.18.64|48001
- ip-dst|port: 18.224.18.64|8151
- ip-dst|port: 162.254.86.108|2087
- ip-dst|port: 84.46.239.89|8089
- ip-dst|port: 51.195.2.222|3333
- ip-dst|port: 3.0.103.25|3333
- ip-dst|port: 45.83.207.229|1177
- ip-dst|port: 91.4.38.47|80
- ip-dst|port: 56.155.3.36|636
- ip-dst|port: 216.9.225.133|57090
- ip-dst|port: 150.158.110.197|8888
- ip-dst|port: 117.205.172.44|47080
- url: http://91.211.248.206/
- url: http://176.65.141.187/
- url: https://pastebin.com/raw/jd8cp7b0
- url: https://pastebin.com/raw/lbtbvbyi
- domain: 5461458.ddns.net
- domain: dadfsfsdfasdfasddfgssdfaafsd-63495.portmap.host
- ip-dst|port: 147.185.221.26|28568
- ip-dst|port: 18.197.94.4|6606
- ip-dst|port: 147.185.221.25|3064
- ip-dst|port: 147.185.221.25|80
- ip-dst|port: 194.36.26.109|25514
- ip-dst|port: 3.127.121.101|3064
- ip-dst|port: 3.127.121.101|80
- domain: mmdrza.ddns.net
- domain: blancoestev27.duckdns.org
- domain: ruffella1122.duckdns.org
- ip-dst|port: 176.65.144.200|6426
- url: https://pastebin.com/raw/j5bthnrr
- domain: flame3135-44263.portmap.host
- domain: gmt-sherman.gl.at.ply.gg
- domain: iii-single.gl.at.ply.gg
- domain: pppaa-51102.portmap.host
- url: https://h.p.formaxprime.co.uk/
- domain: h.p.formaxprime.co.uk
- domain: aiwavey.run
- domain: byteplusx.digital
- domain: skynetxc.live
- domain: pixtreev.run
- domain: sparkiob.digital
- domain: appgridn.live
- ip-dst|port: 113.45.7.54|9999
- ip-dst|port: 2.58.56.217|443
- ip-dst|port: 47.108.158.237|443
- ip-dst|port: 159.75.26.73|8010
- ip-dst|port: 65.20.70.235|443
- ip-dst|port: 27.124.6.49|2404
- ip-dst|port: 104.250.169.68|1962
- ip-dst|port: 199.231.167.54|7707
- ip-dst|port: 120.24.250.89|7443
- ip-dst|port: 42.116.59.138|8080
- ip-dst|port: 172.86.97.13|443
- ip-dst|port: 43.129.41.152|443
- ip-dst|port: 18.175.56.117|17450
- ip-dst|port: 18.175.56.117|60000
- ip-dst|port: 18.175.56.117|250
- ip-dst|port: 115.233.60.197|443
- domain: webdisk.oraonweb.com
- url: https://4ad74aab.xyz/index.php
- ip-dst|port: 47.98.153.84|1234
- ip-dst|port: 42.51.40.85|808
- ip-dst|port: 103.231.12.252|801
- ip-dst|port: 8.146.210.125|8080
- ip-dst|port: 47.93.25.72|82
- ip-dst|port: 154.39.140.34|8080
- ip-dst|port: 34.245.175.187|80
- domain: oct2.xyz
- url: https://compralibri.com/1q2w.js
- domain: compralibri.com
- url: https://compralibri.com/js.php
- url: https://steamcommunity.com/profiles/76561199839170361
- url: https://t.me/lw25chm
- url: https://se.app.formaxprime.co.uk/
- url: https://95.216.180.148/
- domain: app.formaxprime.co.uk
- domain: se.app.formaxprime.co.uk
- ip-dst|port: 78.46.253.51|443
- ip-dst|port: 95.216.180.148|443
- ip-dst|port: 103.140.154.73|80
- ip-dst|port: 103.74.192.189|8080
- ip-dst|port: 206.206.77.88|8888
- ip-dst|port: 41.188.124.175|443
- ip-dst|port: 196.251.86.90|443
- ip-dst|port: 154.205.145.133|2096
- ip-dst|port: 94.250.249.129|8443
- domain: persimmon-turquoise344028.vm-host.com
- url: https://higerson.shop/playlandmusic.mp3
- domain: higerson.shop
- domain: amozon.cc
- ip-dst|port: 103.12.149.85|443
- ip-dst|port: 58.87.94.202|443
- ip-dst|port: 58.87.94.202|80
- url: https://elcctrum.com/download/index.php
- url: https://367524bins7923.b-cdn.net/electrum-4.5.8-setup.exe
- hash: 2246f3653b24eb50f8e43be528270178d8b9576b72fce298d97dda6b5865aced
- domain: kpl-gun77dan.com
- url: http://54.173.207.199:443/mpj6
- url: https://t5impactsupport.world/api
- ip-dst|port: 115.120.251.188|28080
- ip-dst|port: 205.198.65.161|8888
- ip-dst|port: 45.147.7.149|8080
- ip-dst|port: 192.227.220.27|8808
- ip-dst|port: 91.99.23.89|7443
- ip-dst|port: 3.85.11.163|7443
- ip-dst|port: 102.117.175.16|7443
- ip-dst|port: 188.166.56.10|7443
- domain: webmail.efcommxerce.ru
- ip-dst|port: 154.90.63.65|4782
- ip-dst|port: 38.180.141.143|443
- hash: 2065c11664a7a30b693a8334a37fa049f7221ec39bdad401ebae9c453d453edb
- ip-dst|port: 45.76.97.76|443
- ip-dst|port: 62.234.27.146|3306
- ip-dst|port: 47.92.125.40|443
- ip-dst|port: 192.46.223.134|31337
- ip-dst|port: 157.173.112.131|31337
- ip-dst|port: 172.86.80.221|31337
- ip-dst|port: 95.131.202.38|8085
- ip-dst|port: 212.69.167.73|8089
- ip-dst|port: 34.219.107.81|6633
- ip-dst|port: 176.82.217.48|6001
- ip-dst|port: 166.167.30.196|443
- ip-dst|port: 13.58.46.246|32764
- url: http://jmucha.fun/g5vppphc/index.php
- domain: jmucha.fun
- domain: rootedkrypto-29674.portmap.host
- domain: severug.com
- domain: hai1723rat-29066.portmap.host
- domain: abuwire123.ddns.net
- domain: song-direct.gl.at.ply.gg
- domain: them-hobbies.gl.at.ply.gg
- domain: year-tim.gl.at.ply.gg
- ip-dst|port: 108.61.187.67|80
- ip-dst|port: 206.123.152.103|3911
- ip-dst|port: 4.234.110.221|443
- hash: 1b48785b6098f696992c1f65e814ad9f4e2fe3f61ce57bdf0477c05c19661217
- hash: a4ef61a4c32010e87894ad322b87d9f24b9b64c20da5b8b53a1545bbcd16e810
- hash: 6deae0104a84d93f5d2e4fd4c8fb3ae218b77129771bd6c5c79bd7a31e621fd2
- url: http://213.176.72.47/api/ytasodysodisowqsytesodgsotasotusnjusn2qs
- domain: dns-5hm3l-stf-otbor.online
- domain: bitcorep.digital
- url: https://check.dymab.icu/gkcxv.google
- ip-dst|port: 196.251.70.183|443
- ip-dst|port: 120.55.169.128|443
- ip-dst|port: 176.65.142.27|4054
- ip-dst|port: 46.105.31.193|8000
- domain: documents.aruba.cloudconnect-auth0.top
- domain: cpanel.efcommxerce.ru
- ip-dst|port: 35.159.245.137|80
- ip-dst|port: 173.212.208.95|40056
- domain: lingardmechanics.shop
- domain: subdomainhere.klogixsecurity.org
- ip-dst|port: 23.160.168.165|7058
- ip-dst|port: 46.246.82.12|2000
- ip-dst|port: 18.183.153.54|20546
- ip-dst|port: 154.205.148.129|8082
- url: https://check.ledax.icu/gkcxv.google
- ip-dst|port: 175.178.169.151|60000
- ip-dst|port: 2.88.86.152|443
- ip-dst|port: 216.245.184.116|80
- url: https://check.cohor.icu/gkcxv.google
- domain: ehchq7m7rpvdr.cfc-execute.bj.baidubce.com
- ip-dst|port: 139.9.135.76|18443
ThreatFox IOCs for 2025-03-25
Medium
Published: Tue Mar 25 2025 (03/25/2025, 00:00:00 UTC)
Source: MISP
Description
ThreatFox IOCs for 2025-03-25
AI-Powered Analysis
AILast updated: 07/03/2025, 06:26:56 UTC
Technical Analysis
The provided information pertains to a set of Indicators of Compromise (IOCs) published on 2025-03-25 by ThreatFox, sourced from MISP (Malware Information Sharing Platform). The entry is labeled as 'unknown' type with no specific affected software versions, no associated Common Weakness Enumerations (CWEs), and no known exploits in the wild. The threat level is indicated as low to medium (threatLevel: 2), with minimal analysis (analysis: 1) and moderate distribution (distribution: 3). The absence of technical details, affected products, or concrete attack vectors limits the ability to precisely characterize the threat. The IOCs are tagged as OSINT (Open Source Intelligence) and TLP:WHITE, indicating they are intended for broad sharing without restrictions. Since no concrete indicators or exploit details are provided, this entry appears to be a placeholder or a preliminary report of potential threat intelligence rather than a confirmed or active security threat. The medium severity rating likely reflects caution due to the unknown nature and potential for future development rather than current active exploitation.
Potential Impact
Given the lack of specific technical details, affected systems, or known exploits, the immediate impact on European organizations is difficult to quantify. However, the publication of IOCs suggests that there may be emerging or suspected malicious activity that could target various systems in the future. European organizations that rely on threat intelligence feeds and proactive defense mechanisms may benefit from monitoring these IOCs to detect early signs of compromise. Without concrete exploit information, the risk to confidentiality, integrity, and availability remains theoretical at this stage. Nonetheless, organizations should remain vigilant as unknown threats can evolve rapidly, potentially impacting critical infrastructure, government entities, or private sector companies if the threat materializes.
Mitigation Recommendations
1. Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and endpoint detection tools to enable early detection of suspicious activity. 2. Maintain up-to-date threat intelligence feeds and subscribe to trusted sources like MISP to receive timely updates on evolving threats. 3. Conduct regular network and endpoint monitoring focusing on anomalous behaviors that could correlate with emerging IOCs. 4. Implement robust incident response procedures to quickly investigate and contain any alerts triggered by these or related IOCs. 5. Engage in information sharing with industry peers and national cybersecurity centers to enhance collective situational awareness. 6. Since no patches or specific vulnerabilities are identified, prioritize general cybersecurity hygiene including timely patching of known vulnerabilities, strong access controls, and user awareness training to reduce attack surface.
Affected Countries
Need more detailed analysis?Get Pro
Pro Feature
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainprogressiveptgreenvalley.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainwww.amanmail.info | Havoc botnet C2 domain (confidence level: 100%) | |
domainwww.mkdirjava.com | Havoc botnet C2 domain (confidence level: 100%) | |
domainelectrumdoge.com | Unknown malware botnet C2 domain (confidence level: 75%) | |
domainelectrum-avax.com | Unknown malware botnet C2 domain (confidence level: 75%) | |
domainelectrum-ravencoin.com | Unknown malware botnet C2 domain (confidence level: 75%) | |
domainelectrum-xmr.net | Unknown malware botnet C2 domain (confidence level: 75%) | |
domaincpcontacts.aaa.104-168-101-27.cprapid.com | Bashlite botnet C2 domain (confidence level: 100%) | |
domaincpanel.a.multi-canale.com | Bashlite botnet C2 domain (confidence level: 100%) | |
domainmail.b.ora-0-web.com | Bashlite botnet C2 domain (confidence level: 100%) | |
domainwebdisk.aaa.104-168-101-27.cprapid.com | Bashlite botnet C2 domain (confidence level: 100%) | |
domaincpanel.ora-0-web.com | Bashlite botnet C2 domain (confidence level: 100%) | |
domainsvchost.iqiyid.icu | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainksmj.ddns.net | Nanocore RAT botnet C2 domain (confidence level: 100%) | |
domainhacknestm.run | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaingalaxiay.world | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintrobudrunksz.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domain5461458.ddns.net | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domaindadfsfsdfasdfasddfgssdfaafsd-63495.portmap.host | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainmmdrza.ddns.net | Quasar RAT botnet C2 domain (confidence level: 50%) | |
domainblancoestev27.duckdns.org | Remcos botnet C2 domain (confidence level: 50%) | |
domainruffella1122.duckdns.org | Remcos botnet C2 domain (confidence level: 50%) | |
domainflame3135-44263.portmap.host | XWorm botnet C2 domain (confidence level: 50%) | |
domaingmt-sherman.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domainiii-single.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domainpppaa-51102.portmap.host | XWorm botnet C2 domain (confidence level: 50%) | |
domainh.p.formaxprime.co.uk | Vidar botnet C2 domain (confidence level: 100%) | |
domainaiwavey.run | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainbyteplusx.digital | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainskynetxc.live | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainpixtreev.run | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainsparkiob.digital | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainappgridn.live | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainwebdisk.oraonweb.com | Bashlite botnet C2 domain (confidence level: 100%) | |
domainoct2.xyz | Loki Password Stealer (PWS) botnet C2 domain (confidence level: 75%) | |
domaincompralibri.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainapp.formaxprime.co.uk | Vidar botnet C2 domain (confidence level: 100%) | |
domainse.app.formaxprime.co.uk | Vidar botnet C2 domain (confidence level: 100%) | |
domainpersimmon-turquoise344028.vm-host.com | Bashlite botnet C2 domain (confidence level: 100%) | |
domainhigerson.shop | Lumma Stealer payload delivery domain (confidence level: 100%) | |
domainamozon.cc | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainkpl-gun77dan.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainwebmail.efcommxerce.ru | Hook botnet C2 domain (confidence level: 100%) | |
domainjmucha.fun | Amadey botnet C2 domain (confidence level: 50%) | |
domainrootedkrypto-29674.portmap.host | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainseverug.com | Ramnit botnet C2 domain (confidence level: 50%) | |
domainhai1723rat-29066.portmap.host | XenoRAT botnet C2 domain (confidence level: 50%) | |
domainabuwire123.ddns.net | XWorm botnet C2 domain (confidence level: 50%) | |
domainsong-direct.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domainthem-hobbies.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domainyear-tim.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domaindns-5hm3l-stf-otbor.online | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainbitcorep.digital | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindocuments.aruba.cloudconnect-auth0.top | Hook botnet C2 domain (confidence level: 100%) | |
domaincpanel.efcommxerce.ru | Hook botnet C2 domain (confidence level: 100%) | |
domainlingardmechanics.shop | Havoc botnet C2 domain (confidence level: 100%) | |
domainsubdomainhere.klogixsecurity.org | Havoc botnet C2 domain (confidence level: 100%) | |
domainehchq7m7rpvdr.cfc-execute.bj.baidubce.com | Cobalt Strike botnet C2 domain (confidence level: 75%) |
Ip dst|port
| Value | Description | Copy |
|---|---|---|
ip-dst|port43.160.193.143|443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port128.90.113.194|2000 | AsyncRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port209.38.142.255|80 | Hook botnet C2 server (confidence level: 100%) | |
ip-dst|port113.45.132.242|60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port213.199.57.185|3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port152.203.30.145|8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port47.94.7.163|10001 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port144.208.127.241|1313 | Remcos botnet C2 server (confidence level: 100%) | |
ip-dst|port31.58.169.119|8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port51.38.215.206|7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port103.215.78.176|53 | ValleyRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port14.128.50.21|8080 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port67.159.18.50|1995 | Mirai botnet C2 server (confidence level: 75%) | |
ip-dst|port169.150.202.83|5552 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port121.36.215.212|80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port106.75.245.80|8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port104.250.169.98|2404 | Remcos botnet C2 server (confidence level: 100%) | |
ip-dst|port38.146.27.151|443 | Sliver botnet C2 server (confidence level: 100%) | |
ip-dst|port45.130.151.163|443 | Sliver botnet C2 server (confidence level: 100%) | |
ip-dst|port23.94.126.113|8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port196.251.70.104|6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port91.211.248.206|80 | Hook botnet C2 server (confidence level: 100%) | |
ip-dst|port197.133.22.251|8081 | Quasar RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port157.20.182.77|4449 | Venom RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port102.96.189.137|443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port35.86.98.1|27017 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port167.71.234.19|80 | MooBot botnet C2 server (confidence level: 100%) | |
ip-dst|port159.65.224.196|80 | MooBot botnet C2 server (confidence level: 100%) | |
ip-dst|port117.72.119.63|7088 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port8.213.228.20|4443 | Havoc botnet C2 server (confidence level: 100%) | |
ip-dst|port179.43.152.178|8825 | DCRat botnet C2 server (confidence level: 100%) | |
ip-dst|port43.138.81.38|60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port47.238.47.190|60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port185.247.224.66|3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port113.45.140.119|7777 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
ip-dst|port47.120.46.195|8080 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
ip-dst|port103.149.182.77|2345 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
ip-dst|port104.42.26.200|443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
ip-dst|port67.219.99.34|443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
ip-dst|port64.94.84.10|50050 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
ip-dst|port69.57.161.93|31337 | Sliver botnet C2 server (confidence level: 50%) | |
ip-dst|port162.19.228.213|31337 | Sliver botnet C2 server (confidence level: 50%) | |
ip-dst|port62.146.169.174|31337 | Sliver botnet C2 server (confidence level: 50%) | |
ip-dst|port183.134.55.166|10001 | Xtreme RAT botnet C2 server (confidence level: 50%) | |
ip-dst|port170.130.200.118|10001 | Xtreme RAT botnet C2 server (confidence level: 50%) | |
ip-dst|port118.122.8.155|7775 | Unknown malware botnet C2 server (confidence level: 50%) | |
ip-dst|port18.224.18.64|48001 | Unknown malware botnet C2 server (confidence level: 50%) | |
ip-dst|port18.224.18.64|8151 | Unknown malware botnet C2 server (confidence level: 50%) | |
ip-dst|port162.254.86.108|2087 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
ip-dst|port84.46.239.89|8089 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
ip-dst|port51.195.2.222|3333 | Unknown malware botnet C2 server (confidence level: 50%) | |
ip-dst|port3.0.103.25|3333 | Unknown malware botnet C2 server (confidence level: 50%) | |
ip-dst|port45.83.207.229|1177 | NjRAT botnet C2 server (confidence level: 50%) | |
ip-dst|port91.4.38.47|80 | Ghost RAT botnet C2 server (confidence level: 50%) | |
ip-dst|port56.155.3.36|636 | BlackShades botnet C2 server (confidence level: 50%) | |
ip-dst|port216.9.225.133|57090 | Remcos botnet C2 server (confidence level: 75%) | |
ip-dst|port150.158.110.197|8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
ip-dst|port117.205.172.44|47080 | Mozi botnet C2 server (confidence level: 50%) | |
ip-dst|port147.185.221.26|28568 | AsyncRAT botnet C2 server (confidence level: 50%) | |
ip-dst|port18.197.94.4|6606 | AsyncRAT botnet C2 server (confidence level: 50%) | |
ip-dst|port147.185.221.25|3064 | DCRat botnet C2 server (confidence level: 50%) | |
ip-dst|port147.185.221.25|80 | DCRat botnet C2 server (confidence level: 50%) | |
ip-dst|port194.36.26.109|25514 | DCRat botnet C2 server (confidence level: 50%) | |
ip-dst|port3.127.121.101|3064 | DCRat botnet C2 server (confidence level: 50%) | |
ip-dst|port3.127.121.101|80 | DCRat botnet C2 server (confidence level: 50%) | |
ip-dst|port176.65.144.200|6426 | Remcos botnet C2 server (confidence level: 50%) | |
ip-dst|port113.45.7.54|9999 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port2.58.56.217|443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port47.108.158.237|443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port159.75.26.73|8010 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port65.20.70.235|443 | Remcos botnet C2 server (confidence level: 100%) | |
ip-dst|port27.124.6.49|2404 | Remcos botnet C2 server (confidence level: 100%) | |
ip-dst|port104.250.169.68|1962 | Remcos botnet C2 server (confidence level: 100%) | |
ip-dst|port199.231.167.54|7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port120.24.250.89|7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port42.116.59.138|8080 | Quasar RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port172.86.97.13|443 | Havoc botnet C2 server (confidence level: 100%) | |
ip-dst|port43.129.41.152|443 | Havoc botnet C2 server (confidence level: 100%) | |
ip-dst|port18.175.56.117|17450 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port18.175.56.117|60000 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port18.175.56.117|250 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port115.233.60.197|443 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port47.98.153.84|1234 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port42.51.40.85|808 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port103.231.12.252|801 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port8.146.210.125|8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port47.93.25.72|82 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port154.39.140.34|8080 | Meterpreter botnet C2 server (confidence level: 75%) | |
ip-dst|port34.245.175.187|80 | Loki Password Stealer (PWS) botnet C2 server (confidence level: 75%) | |
ip-dst|port78.46.253.51|443 | Vidar botnet C2 server (confidence level: 100%) | |
ip-dst|port95.216.180.148|443 | Vidar botnet C2 server (confidence level: 100%) | |
ip-dst|port103.140.154.73|80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port103.74.192.189|8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port206.206.77.88|8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port41.188.124.175|443 | Havoc botnet C2 server (confidence level: 100%) | |
ip-dst|port196.251.86.90|443 | Havoc botnet C2 server (confidence level: 100%) | |
ip-dst|port154.205.145.133|2096 | Havoc botnet C2 server (confidence level: 100%) | |
ip-dst|port94.250.249.129|8443 | DeimosC2 botnet C2 server (confidence level: 100%) | |
ip-dst|port103.12.149.85|443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port58.87.94.202|443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port58.87.94.202|80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port115.120.251.188|28080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port205.198.65.161|8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port45.147.7.149|8080 | AsyncRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port192.227.220.27|8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
ip-dst|port91.99.23.89|7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port3.85.11.163|7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port102.117.175.16|7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port188.166.56.10|7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
ip-dst|port154.90.63.65|4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port38.180.141.143|443 | Havoc botnet C2 server (confidence level: 100%) | |
ip-dst|port45.76.97.76|443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
ip-dst|port62.234.27.146|3306 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
ip-dst|port47.92.125.40|443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
ip-dst|port192.46.223.134|31337 | Sliver botnet C2 server (confidence level: 50%) | |
ip-dst|port157.173.112.131|31337 | Sliver botnet C2 server (confidence level: 50%) | |
ip-dst|port172.86.80.221|31337 | Sliver botnet C2 server (confidence level: 50%) | |
ip-dst|port95.131.202.38|8085 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
ip-dst|port212.69.167.73|8089 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
ip-dst|port34.219.107.81|6633 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
ip-dst|port176.82.217.48|6001 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
ip-dst|port166.167.30.196|443 | Ghost RAT botnet C2 server (confidence level: 50%) | |
ip-dst|port13.58.46.246|32764 | Unknown malware botnet C2 server (confidence level: 50%) | |
ip-dst|port108.61.187.67|80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port206.123.152.103|3911 | XWorm botnet C2 server (confidence level: 75%) | |
ip-dst|port4.234.110.221|443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
ip-dst|port196.251.70.183|443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port120.55.169.128|443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
ip-dst|port176.65.142.27|4054 | Remcos botnet C2 server (confidence level: 100%) | |
ip-dst|port46.105.31.193|8000 | Sliver botnet C2 server (confidence level: 100%) | |
ip-dst|port35.159.245.137|80 | Havoc botnet C2 server (confidence level: 100%) | |
ip-dst|port173.212.208.95|40056 | Havoc botnet C2 server (confidence level: 100%) | |
ip-dst|port23.160.168.165|7058 | Orcus RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port46.246.82.12|2000 | DCRat botnet C2 server (confidence level: 100%) | |
ip-dst|port18.183.153.54|20546 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
ip-dst|port154.205.148.129|8082 | ERMAC botnet C2 server (confidence level: 100%) | |
ip-dst|port175.178.169.151|60000 | Unknown malware botnet C2 server (confidence level: 75%) | |
ip-dst|port2.88.86.152|443 | QakBot botnet C2 server (confidence level: 75%) | |
ip-dst|port216.245.184.116|80 | Broomstick botnet C2 server (confidence level: 75%) | |
ip-dst|port139.9.135.76|18443 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://91.211.248.206/ | Hook botnet C2 (confidence level: 50%) | |
urlhttp://176.65.141.187/ | Hook botnet C2 (confidence level: 50%) | |
urlhttps://pastebin.com/raw/jd8cp7b0 | AsyncRAT botnet C2 (confidence level: 50%) | |
urlhttps://pastebin.com/raw/lbtbvbyi | AsyncRAT botnet C2 (confidence level: 50%) | |
urlhttps://pastebin.com/raw/j5bthnrr | XWorm botnet C2 (confidence level: 50%) | |
urlhttps://h.p.formaxprime.co.uk/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://4ad74aab.xyz/index.php | DarkWatchman botnet C2 (confidence level: 100%) | |
urlhttps://compralibri.com/1q2w.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://compralibri.com/js.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://steamcommunity.com/profiles/76561199839170361 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://t.me/lw25chm | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://se.app.formaxprime.co.uk/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://95.216.180.148/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://higerson.shop/playlandmusic.mp3 | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://elcctrum.com/download/index.php | Unknown Stealer payload delivery URL (confidence level: 100%) | |
urlhttps://367524bins7923.b-cdn.net/electrum-4.5.8-setup.exe | Unknown Stealer payload delivery URL (confidence level: 100%) | |
urlhttp://54.173.207.199:443/mpj6 | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://t5impactsupport.world/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://jmucha.fun/g5vppphc/index.php | Amadey botnet C2 (confidence level: 50%) | |
urlhttp://213.176.72.47/api/ytasodysodisowqsytesodgsotasotusnjusn2qs | SmartLoader botnet C2 (confidence level: 75%) | |
urlhttps://check.dymab.icu/gkcxv.google | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://check.ledax.icu/gkcxv.google | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://check.cohor.icu/gkcxv.google | ClearFake payload delivery URL (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash2246f3653b24eb50f8e43be528270178d8b9576b72fce298d97dda6b5865aced | Unknown Stealer payload (confidence level: 100%) | |
hash2065c11664a7a30b693a8334a37fa049f7221ec39bdad401ebae9c453d453edb | Unknown Stealer payload (confidence level: 100%) | |
hash1b48785b6098f696992c1f65e814ad9f4e2fe3f61ce57bdf0477c05c19661217 | Unknown Stealer payload (confidence level: 100%) | |
hasha4ef61a4c32010e87894ad322b87d9f24b9b64c20da5b8b53a1545bbcd16e810 | Unknown Stealer payload (confidence level: 100%) | |
hash6deae0104a84d93f5d2e4fd4c8fb3ae218b77129771bd6c5c79bd7a31e621fd2 | Unknown Stealer payload (confidence level: 100%) |
Threat ID: 6829b2d4c469c0a05b456c63
Added to database: 5/18/2025, 10:13:40 AM
Last enriched: 7/3/2025, 6:26:56 AM
Last updated: 8/16/2025, 12:53:49 AM
Views: 15
Related Threats
Actions
PRO
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Please log in to the Console to use AI analysis features.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.