ThreatFox IOCs for 2025-05-11
ThreatFox IOCs for 2025-05-11
AI Analysis
Technical Summary
The provided information pertains to a malware-related threat identified as "ThreatFox IOCs for 2025-05-11," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The threat is categorized under "type:osint," indicating it is related to open-source intelligence, but no specific affected software versions or products are listed, and no detailed technical indicators or attack vectors are provided. The threat level is marked as 2 on an unspecified scale, with an analysis rating of 1 and a distribution rating of 3, suggesting moderate dissemination potential but limited analytical detail. There are no known exploits in the wild, no associated Common Weakness Enumerations (CWEs), and no patch information available. The absence of detailed technical data such as attack methods, payload characteristics, or targeted vulnerabilities limits the ability to perform a deep technical assessment. However, the classification as malware and the presence of IOCs imply that this threat involves malicious software potentially used for reconnaissance, data collection, or other malicious activities leveraging OSINT techniques. The TLP (Traffic Light Protocol) designation is white, indicating the information is publicly shareable without restriction. Overall, this appears to be an early-stage or low-profile malware threat with limited current impact but potential for wider distribution given the distribution rating.
Potential Impact
For European organizations, the impact of this threat is currently assessed as medium but largely theoretical due to the lack of concrete exploit details or active campaigns. The malware's association with OSINT suggests it could be used to gather intelligence or facilitate further attacks rather than causing immediate disruption or data destruction. Potential impacts include unauthorized data collection, privacy breaches, and the establishment of footholds for subsequent intrusions. Given the absence of known exploits in the wild, immediate operational disruption or data loss is unlikely at this stage. However, organizations involved in sensitive sectors such as government, defense, critical infrastructure, and large enterprises could face increased risk if the malware evolves or is leveraged in targeted campaigns. The medium severity reflects the potential for escalation rather than confirmed widespread harm. The lack of authentication or user interaction details prevents precise impact modeling, but the malware's distribution rating suggests it could propagate through automated or semi-automated means, increasing exposure risk.
Mitigation Recommendations
1. Enhance network monitoring to detect unusual outbound traffic patterns that may indicate OSINT-related malware activity, focusing on connections to suspicious or newly identified IOCs once they become available. 2. Implement strict data access controls and segmentation to limit the malware's ability to gather or exfiltrate sensitive information. 3. Employ threat intelligence sharing platforms to stay updated on emerging IOCs related to this threat and integrate them into intrusion detection/prevention systems (IDS/IPS). 4. Conduct regular security awareness training emphasizing the risks of OSINT-based reconnaissance and malware, even when no direct user interaction is required. 5. Harden endpoint security by deploying advanced malware detection solutions capable of behavioral analysis to identify novel or low-signature threats. 6. Prepare incident response plans that include procedures for analyzing and mitigating OSINT-related malware infections, ensuring rapid containment and remediation. 7. Given the lack of patches, prioritize proactive detection and containment strategies rather than relying on software updates. 8. Collaborate with national cybersecurity centers and industry groups to share findings and receive timely alerts about threat evolution.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland, Sweden, Finland
Indicators of Compromise
- domain: wybod.run
- file: 38.207.176.60
- hash: 5003
- file: 104.160.187.230
- hash: 443
- domain: flowerexju.bet
- domain: easterxeen.run
- domain: araucahkbm.live
- domain: posseswsnc.top
- domain: featurlyin.top
- domain: fiwyj.run
- file: 148.66.2.197
- hash: 21
- domain: google-chrome.western-servers.net
- domain: www.google-chrome.info
- domain: kyjej.run
- domain: jyjev.run
- file: 1.14.200.238
- hash: 3306
- file: 82.156.105.55
- hash: 443
- file: 67.211.216.77
- hash: 3396
- file: 154.198.50.83
- hash: 8888
- file: 138.199.162.81
- hash: 1961
- file: 85.215.107.125
- hash: 1231
- file: 93.95.230.53
- hash: 7443
- domain: sliv.ph4nt0m.fr
- file: 51.38.140.91
- hash: 80
- file: 51.89.204.75
- hash: 443
- file: 64.23.243.220
- hash: 3333
- domain: cyleb.run
- file: 110.42.45.117
- hash: 443
- file: 154.219.109.205
- hash: 2096
- file: 185.208.159.224
- hash: 1433
- domain: www.joydome.xyz
- domain: pixelpitstop.xyz
- domain: gamespheres.xyz
- file: 8.131.118.10
- hash: 4444
- file: 13.209.176.201
- hash: 52683
- file: 45.192.104.206
- hash: 6003
- file: 3.215.185.215
- hash: 7001
- file: 196.251.114.17
- hash: 8808
- file: 79.110.49.72
- hash: 8808
- file: 128.90.113.42
- hash: 2000
- file: 196.251.86.13
- hash: 6606
- domain: cpcalendars.tempoestil.com
- file: 176.65.144.114
- hash: 50555
- file: 20.217.80.197
- hash: 80
- file: 47.109.190.151
- hash: 60000
- file: 177.39.220.26
- hash: 4443
- file: 54.90.199.244
- hash: 3333
- file: 81.70.236.111
- hash: 3333
- file: 193.123.83.19
- hash: 443
- file: 159.89.162.159
- hash: 3333
- file: 5.255.118.52
- hash: 3333
- file: 13.60.65.130
- hash: 3333
- file: 92.36.141.43
- hash: 8080
- file: 20.227.93.232
- hash: 3333
- file: 23.95.197.208
- hash: 80
- domain: electrunn.org
- url: https://topguningit.com/test/
- url: https://lofiramegi.com/test/
- file: 103.45.68.135
- hash: 4444
- file: 118.178.192.36
- hash: 5555
- file: 103.45.68.135
- hash: 80
- file: 216.219.85.188
- hash: 8443
- file: 118.178.192.36
- hash: 8088
- domain: fepez.run
- url: http://154.198.50.83:8888/supershell/login/
- file: 115.175.39.35
- hash: 443
- file: 185.208.159.224
- hash: 443
- file: 101.43.94.35
- hash: 50050
- file: 185.234.247.119
- hash: 31337
- file: 107.172.29.162
- hash: 31337
- file: 107.152.33.179
- hash: 31337
- file: 217.160.208.94
- hash: 31337
- file: 144.202.86.212
- hash: 31337
- file: 212.11.64.225
- hash: 31337
- file: 107.189.18.56
- hash: 9000
- file: 95.131.202.38
- hash: 2083
- file: 43.198.88.206
- hash: 13
- file: 94.141.122.183
- hash: 443
- url: http://176.65.144.114:50555/
- url: http://103.116.8.240:50555/
- domain: dn-master.ddns.net
- domain: enzomtp.dragonia-pvp.fr
- domain: zizo.myftp.org
- domain: irc.xinxin.cam
- domain: xenqxd-42269.portmap.host
- url: https://pastebin.com/raw/r9a1gjxb
- file: 147.185.221.28
- hash: 23258
- file: 120.26.199.12
- hash: 443
- file: 8.219.232.189
- hash: 2095
- file: 92.63.197.45
- hash: 443
- file: 209.74.81.22
- hash: 80
- file: 139.9.92.182
- hash: 9001
- file: 139.9.92.182
- hash: 9999
- file: 172.111.244.103
- hash: 37830
- file: 177.124.72.27
- hash: 443
- file: 88.229.2.85
- hash: 888
- file: 88.229.2.85
- hash: 6606
- domain: cov.ph4nt0m.fr
- file: 185.143.241.98
- hash: 443
- file: 102.100.54.53
- hash: 443
- file: 144.172.73.64
- hash: 9999
- url: https://egirlcam.com/
- domain: niggerkiller69.duckdns.org
- file: 45.80.158.239
- hash: 5939
- url: http://odyssey-st.com/
- file: 15.197.85.202
- hash: 443
- file: 177.124.72.27
- hash: 8888
- domain: sorov.run
- file: 24.158.35.3
- hash: 443
- file: 54.198.212.23
- hash: 443
- file: 80.66.75.39
- hash: 420
- domain: ftp.hitplas.ro
- file: 136.243.131.47
- hash: 21
- domain: ftp.haliza.com.my
- file: 110.4.45.197
- hash: 21
- domain: ftp.fosna.net
- file: 173.254.31.34
- hash: 21
- file: 92.63.197.45
- hash: 8443
- file: 83.229.121.235
- hash: 443
- file: 185.227.152.100
- hash: 2086
- file: 185.227.152.100
- hash: 443
- file: 116.62.126.115
- hash: 8888
- file: 113.17.35.148
- hash: 8443
- file: 185.242.235.45
- hash: 80
- file: 47.115.222.119
- hash: 8008
- file: 209.58.181.226
- hash: 6513
- file: 103.157.28.180
- hash: 80
- file: 144.172.94.163
- hash: 2427
- file: 161.97.116.56
- hash: 443
- domain: pexab.run
- url: http://61.3.26.117:55159/mozi.m
- file: 156.251.179.116
- hash: 80
- file: 135.220.19.84
- hash: 31337
- file: 110.43.68.80
- hash: 10001
- file: 45.138.159.2
- hash: 9000
- file: 158.247.247.157
- hash: 443
- file: 117.72.119.212
- hash: 9205
- domain: djkms-32561.portmap.host
- domain: 1re0-61442.portmap.io
- file: 176.65.134.78
- hash: 45682
- file: 185.196.11.181
- hash: 9908
- url: https://login.mexc-signin.kro.kr
- domain: login.mexc-signin.kro.kr
- file: 116.62.30.120
- hash: 4433
- file: 38.207.179.194
- hash: 8888
- file: 152.136.145.153
- hash: 8000
- file: 193.26.115.199
- hash: 2404
- file: 191.96.207.235
- hash: 2404
- domain: magical-lumiere.94-156-177-241.plesk.page
- file: 120.53.15.200
- hash: 8808
- file: 206.238.115.155
- hash: 8808
- file: 3.215.185.215
- hash: 6001
- file: 176.65.141.225
- hash: 6606
- file: 176.65.141.225
- hash: 7707
- file: 176.65.141.225
- hash: 8808
- file: 176.65.142.228
- hash: 6606
- file: 102.117.163.86
- hash: 7443
- file: 193.23.219.54
- hash: 7443
- file: 176.65.144.221
- hash: 7443
- file: 51.89.204.75
- hash: 80
- file: 4.193.160.64
- hash: 8081
- domain: kepov.run
- domain: ciwid.run
- domain: mygar.run
- domain: electrurn.com
- domain: electrurn.org
- file: 47.236.58.201
- hash: 80
- file: 47.120.45.216
- hash: 9009
- file: 47.238.140.204
- hash: 8990
- file: 43.156.57.179
- hash: 80
- file: 54.252.215.88
- hash: 31337
- file: 45.151.62.134
- hash: 31337
- file: 159.223.205.104
- hash: 31337
- file: 31.128.216.7
- hash: 7777
- domain: dhaker.ddns.net
- domain: raypun.eastus.cloudapp.azure.com
- domain: samrat4-56907.portmap.io
- domain: lancery.digital
- file: 49.228.131.165
- hash: 2427
- domain: metalliko-industr.ru
- domain: ns1.shamless.sbs
- domain: skyprotech.ru
- file: 176.98.178.4
- hash: 53
- file: 176.98.178.55
- hash: 53
- file: 185.227.152.100
- hash: 53
- file: 217.198.5.240
- hash: 53
- url: http://212194cm.nyashware.ru/phppacketmultibaseuniversaltrackuploadsdownloads.php
- domain: cv.cbrw.ru
- file: 103.131.131.92
- hash: 2404
- file: 103.157.28.180
- hash: 443
- file: 185.112.83.238
- hash: 443
- file: 49.113.73.193
- hash: 8888
- file: 176.65.142.228
- hash: 7707
- file: 193.143.1.236
- hash: 80
- file: 196.251.73.47
- hash: 443
- file: 154.21.201.16
- hash: 7878
- file: 18.177.128.103
- hash: 80
- file: 141.147.108.142
- hash: 80
- file: 121.9.235.32
- hash: 54681
- file: 23.24.41.225
- hash: 995
- file: 46.236.195.130
- hash: 87
- file: 14.128.63.6
- hash: 6666
- domain: sijyh.run
- file: 43.255.159.28
- hash: 443
ThreatFox IOCs for 2025-05-11
Description
ThreatFox IOCs for 2025-05-11
AI-Powered Analysis
Technical Analysis
The provided information pertains to a malware-related threat identified as "ThreatFox IOCs for 2025-05-11," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The threat is categorized under "type:osint," indicating it is related to open-source intelligence, but no specific affected software versions or products are listed, and no detailed technical indicators or attack vectors are provided. The threat level is marked as 2 on an unspecified scale, with an analysis rating of 1 and a distribution rating of 3, suggesting moderate dissemination potential but limited analytical detail. There are no known exploits in the wild, no associated Common Weakness Enumerations (CWEs), and no patch information available. The absence of detailed technical data such as attack methods, payload characteristics, or targeted vulnerabilities limits the ability to perform a deep technical assessment. However, the classification as malware and the presence of IOCs imply that this threat involves malicious software potentially used for reconnaissance, data collection, or other malicious activities leveraging OSINT techniques. The TLP (Traffic Light Protocol) designation is white, indicating the information is publicly shareable without restriction. Overall, this appears to be an early-stage or low-profile malware threat with limited current impact but potential for wider distribution given the distribution rating.
Potential Impact
For European organizations, the impact of this threat is currently assessed as medium but largely theoretical due to the lack of concrete exploit details or active campaigns. The malware's association with OSINT suggests it could be used to gather intelligence or facilitate further attacks rather than causing immediate disruption or data destruction. Potential impacts include unauthorized data collection, privacy breaches, and the establishment of footholds for subsequent intrusions. Given the absence of known exploits in the wild, immediate operational disruption or data loss is unlikely at this stage. However, organizations involved in sensitive sectors such as government, defense, critical infrastructure, and large enterprises could face increased risk if the malware evolves or is leveraged in targeted campaigns. The medium severity reflects the potential for escalation rather than confirmed widespread harm. The lack of authentication or user interaction details prevents precise impact modeling, but the malware's distribution rating suggests it could propagate through automated or semi-automated means, increasing exposure risk.
Mitigation Recommendations
1. Enhance network monitoring to detect unusual outbound traffic patterns that may indicate OSINT-related malware activity, focusing on connections to suspicious or newly identified IOCs once they become available. 2. Implement strict data access controls and segmentation to limit the malware's ability to gather or exfiltrate sensitive information. 3. Employ threat intelligence sharing platforms to stay updated on emerging IOCs related to this threat and integrate them into intrusion detection/prevention systems (IDS/IPS). 4. Conduct regular security awareness training emphasizing the risks of OSINT-based reconnaissance and malware, even when no direct user interaction is required. 5. Harden endpoint security by deploying advanced malware detection solutions capable of behavioral analysis to identify novel or low-signature threats. 6. Prepare incident response plans that include procedures for analyzing and mitigating OSINT-related malware infections, ensuring rapid containment and remediation. 7. Given the lack of patches, prioritize proactive detection and containment strategies rather than relying on software updates. 8. Collaborate with national cybersecurity centers and industry groups to share findings and receive timely alerts about threat evolution.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- c4434e1f-442f-4683-a6dc-dfe10f51ea89
- Original Timestamp
- 1747008186
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainwybod.run | ClearFake payload delivery domain (confidence level: 100%) | |
domainflowerexju.bet | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaineasterxeen.run | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainaraucahkbm.live | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainposseswsnc.top | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainfeaturlyin.top | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainfiwyj.run | ClearFake payload delivery domain (confidence level: 100%) | |
domaingoogle-chrome.western-servers.net | FAKEUPDATES payload delivery domain (confidence level: 80%) | |
domainwww.google-chrome.info | FAKEUPDATES payload delivery domain (confidence level: 80%) | |
domainkyjej.run | ClearFake payload delivery domain (confidence level: 100%) | |
domainjyjev.run | ClearFake payload delivery domain (confidence level: 100%) | |
domainsliv.ph4nt0m.fr | Havoc botnet C2 domain (confidence level: 100%) | |
domaincyleb.run | ClearFake payload delivery domain (confidence level: 100%) | |
domainwww.joydome.xyz | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainpixelpitstop.xyz | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaingamespheres.xyz | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaincpcalendars.tempoestil.com | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainelectrunn.org | Unknown malware botnet C2 domain (confidence level: 75%) | |
domainfepez.run | ClearFake payload delivery domain (confidence level: 100%) | |
domaindn-master.ddns.net | DarkComet botnet C2 domain (confidence level: 50%) | |
domainenzomtp.dragonia-pvp.fr | Nanocore RAT botnet C2 domain (confidence level: 50%) | |
domainzizo.myftp.org | NjRAT botnet C2 domain (confidence level: 50%) | |
domainirc.xinxin.cam | Quasar RAT botnet C2 domain (confidence level: 50%) | |
domainxenqxd-42269.portmap.host | Quasar RAT botnet C2 domain (confidence level: 50%) | |
domaincov.ph4nt0m.fr | Havoc botnet C2 domain (confidence level: 100%) | |
domainniggerkiller69.duckdns.org | Quasar RAT botnet C2 domain (confidence level: 50%) | |
domainsorov.run | ClearFake payload delivery domain (confidence level: 100%) | |
domainftp.hitplas.ro | Agent Tesla botnet C2 domain (confidence level: 50%) | |
domainftp.haliza.com.my | Agent Tesla botnet C2 domain (confidence level: 50%) | |
domainftp.fosna.net | Agent Tesla botnet C2 domain (confidence level: 50%) | |
domainpexab.run | ClearFake payload delivery domain (confidence level: 100%) | |
domaindjkms-32561.portmap.host | Nanocore RAT botnet C2 domain (confidence level: 50%) | |
domain1re0-61442.portmap.io | NjRAT botnet C2 domain (confidence level: 50%) | |
domainlogin.mexc-signin.kro.kr | Kimsuky botnet C2 domain (confidence level: 50%) | |
domainmagical-lumiere.94-156-177-241.plesk.page | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainkepov.run | ClearFake payload delivery domain (confidence level: 100%) | |
domainciwid.run | ClearFake payload delivery domain (confidence level: 100%) | |
domainmygar.run | ClearFake payload delivery domain (confidence level: 100%) | |
domainelectrurn.com | Unknown malware botnet C2 domain (confidence level: 75%) | |
domainelectrurn.org | Unknown malware botnet C2 domain (confidence level: 75%) | |
domaindhaker.ddns.net | DarkComet botnet C2 domain (confidence level: 50%) | |
domainraypun.eastus.cloudapp.azure.com | DarkComet botnet C2 domain (confidence level: 50%) | |
domainsamrat4-56907.portmap.io | Quasar RAT botnet C2 domain (confidence level: 50%) | |
domainlancery.digital | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainmetalliko-industr.ru | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainns1.shamless.sbs | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainskyprotech.ru | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domaincv.cbrw.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsijyh.run | ClearFake payload delivery domain (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file38.207.176.60 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.160.187.230 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file148.66.2.197 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.14.200.238 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file82.156.105.55 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file67.211.216.77 | Remcos botnet C2 server (confidence level: 100%) | |
file154.198.50.83 | Unknown malware botnet C2 server (confidence level: 100%) | |
file138.199.162.81 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file85.215.107.125 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file93.95.230.53 | Unknown malware botnet C2 server (confidence level: 100%) | |
file51.38.140.91 | MooBot botnet C2 server (confidence level: 100%) | |
file51.89.204.75 | Unknown malware botnet C2 server (confidence level: 100%) | |
file64.23.243.220 | Unknown malware botnet C2 server (confidence level: 100%) | |
file110.42.45.117 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file154.219.109.205 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file185.208.159.224 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file8.131.118.10 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file13.209.176.201 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.192.104.206 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file3.215.185.215 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file196.251.114.17 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file79.110.49.72 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file128.90.113.42 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file196.251.86.13 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file176.65.144.114 | Hook botnet C2 server (confidence level: 100%) | |
file20.217.80.197 | ERMAC botnet C2 server (confidence level: 100%) | |
file47.109.190.151 | Unknown malware botnet C2 server (confidence level: 100%) | |
file177.39.220.26 | Unknown malware botnet C2 server (confidence level: 100%) | |
file54.90.199.244 | Unknown malware botnet C2 server (confidence level: 100%) | |
file81.70.236.111 | Unknown malware botnet C2 server (confidence level: 100%) | |
file193.123.83.19 | Unknown malware botnet C2 server (confidence level: 100%) | |
file159.89.162.159 | Unknown malware botnet C2 server (confidence level: 100%) | |
file5.255.118.52 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.60.65.130 | Unknown malware botnet C2 server (confidence level: 100%) | |
file92.36.141.43 | Unknown malware botnet C2 server (confidence level: 100%) | |
file20.227.93.232 | Unknown malware botnet C2 server (confidence level: 100%) | |
file23.95.197.208 | Bashlite botnet C2 server (confidence level: 100%) | |
file103.45.68.135 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file118.178.192.36 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.45.68.135 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file216.219.85.188 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file118.178.192.36 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file115.175.39.35 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file185.208.159.224 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file101.43.94.35 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file185.234.247.119 | Sliver botnet C2 server (confidence level: 50%) | |
file107.172.29.162 | Sliver botnet C2 server (confidence level: 50%) | |
file107.152.33.179 | Sliver botnet C2 server (confidence level: 50%) | |
file217.160.208.94 | Sliver botnet C2 server (confidence level: 50%) | |
file144.202.86.212 | Sliver botnet C2 server (confidence level: 50%) | |
file212.11.64.225 | Sliver botnet C2 server (confidence level: 50%) | |
file107.189.18.56 | SectopRAT botnet C2 server (confidence level: 50%) | |
file95.131.202.38 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
file43.198.88.206 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
file94.141.122.183 | Unknown malware botnet C2 server (confidence level: 50%) | |
file147.185.221.28 | XWorm botnet C2 server (confidence level: 50%) | |
file120.26.199.12 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.219.232.189 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file92.63.197.45 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file209.74.81.22 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file139.9.92.182 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file139.9.92.182 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file172.111.244.103 | Remcos botnet C2 server (confidence level: 100%) | |
file177.124.72.27 | Sliver botnet C2 server (confidence level: 100%) | |
file88.229.2.85 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file88.229.2.85 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.143.241.98 | Havoc botnet C2 server (confidence level: 100%) | |
file102.100.54.53 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file144.172.73.64 | MooBot botnet C2 server (confidence level: 100%) | |
file45.80.158.239 | Quasar RAT botnet C2 server (confidence level: 50%) | |
file15.197.85.202 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file177.124.72.27 | Sliver botnet C2 server (confidence level: 75%) | |
file24.158.35.3 | QakBot botnet C2 server (confidence level: 75%) | |
file54.198.212.23 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file80.66.75.39 | Tofsee botnet C2 server (confidence level: 100%) | |
file136.243.131.47 | Agent Tesla botnet C2 server (confidence level: 50%) | |
file110.4.45.197 | Agent Tesla botnet C2 server (confidence level: 50%) | |
file173.254.31.34 | Agent Tesla botnet C2 server (confidence level: 50%) | |
file92.63.197.45 | Meterpreter botnet C2 server (confidence level: 75%) | |
file83.229.121.235 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.227.152.100 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.227.152.100 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file116.62.126.115 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file113.17.35.148 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.242.235.45 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.115.222.119 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file209.58.181.226 | Remcos botnet C2 server (confidence level: 100%) | |
file103.157.28.180 | Remcos botnet C2 server (confidence level: 100%) | |
file144.172.94.163 | Remcos botnet C2 server (confidence level: 100%) | |
file161.97.116.56 | Nimplant botnet C2 server (confidence level: 100%) | |
file156.251.179.116 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file135.220.19.84 | Sliver botnet C2 server (confidence level: 50%) | |
file110.43.68.80 | Xtreme RAT botnet C2 server (confidence level: 50%) | |
file45.138.159.2 | SectopRAT botnet C2 server (confidence level: 50%) | |
file158.247.247.157 | Kimsuky botnet C2 server (confidence level: 50%) | |
file117.72.119.212 | Unknown malware botnet C2 server (confidence level: 50%) | |
file176.65.134.78 | Remcos botnet C2 server (confidence level: 50%) | |
file185.196.11.181 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file116.62.30.120 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file38.207.179.194 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file152.136.145.153 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file193.26.115.199 | Remcos botnet C2 server (confidence level: 100%) | |
file191.96.207.235 | Remcos botnet C2 server (confidence level: 100%) | |
file120.53.15.200 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file206.238.115.155 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file3.215.185.215 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file176.65.141.225 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file176.65.141.225 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file176.65.141.225 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file176.65.142.228 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file102.117.163.86 | Unknown malware botnet C2 server (confidence level: 100%) | |
file193.23.219.54 | Unknown malware botnet C2 server (confidence level: 100%) | |
file176.65.144.221 | Unknown malware botnet C2 server (confidence level: 100%) | |
file51.89.204.75 | Unknown malware botnet C2 server (confidence level: 100%) | |
file4.193.160.64 | MimiKatz botnet C2 server (confidence level: 100%) | |
file47.236.58.201 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file47.120.45.216 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file47.238.140.204 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file43.156.57.179 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file54.252.215.88 | Sliver botnet C2 server (confidence level: 50%) | |
file45.151.62.134 | Sliver botnet C2 server (confidence level: 50%) | |
file159.223.205.104 | Sliver botnet C2 server (confidence level: 50%) | |
file31.128.216.7 | Unknown malware botnet C2 server (confidence level: 50%) | |
file49.228.131.165 | NjRAT botnet C2 server (confidence level: 100%) | |
file176.98.178.4 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file176.98.178.55 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file185.227.152.100 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file217.198.5.240 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file103.131.131.92 | Remcos botnet C2 server (confidence level: 100%) | |
file103.157.28.180 | Remcos botnet C2 server (confidence level: 100%) | |
file185.112.83.238 | Sliver botnet C2 server (confidence level: 100%) | |
file49.113.73.193 | Unknown malware botnet C2 server (confidence level: 100%) | |
file176.65.142.228 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file193.143.1.236 | Poseidon Stealer botnet C2 server (confidence level: 100%) | |
file196.251.73.47 | Havoc botnet C2 server (confidence level: 100%) | |
file154.21.201.16 | Havoc botnet C2 server (confidence level: 100%) | |
file18.177.128.103 | Brute Ratel C4 botnet C2 server (confidence level: 100%) | |
file141.147.108.142 | Chaos botnet C2 server (confidence level: 100%) | |
file121.9.235.32 | Chaos botnet C2 server (confidence level: 100%) | |
file23.24.41.225 | QakBot botnet C2 server (confidence level: 75%) | |
file46.236.195.130 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file14.128.63.6 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file43.255.159.28 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash5003 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash21 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash3306 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash3396 | Remcos botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash1961 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash1231 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash2096 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash1433 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash52683 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash6003 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7001 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2000 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash50555 | Hook botnet C2 server (confidence level: 100%) | |
hash80 | ERMAC botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash4443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Bashlite botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash5555 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8088 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 50%) | |
hash2083 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
hash13 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash23258 | XWorm botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2095 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9001 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9999 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash37830 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash888 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash9999 | MooBot botnet C2 server (confidence level: 100%) | |
hash5939 | Quasar RAT botnet C2 server (confidence level: 50%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash8888 | Sliver botnet C2 server (confidence level: 75%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash420 | Tofsee botnet C2 server (confidence level: 100%) | |
hash21 | Agent Tesla botnet C2 server (confidence level: 50%) | |
hash21 | Agent Tesla botnet C2 server (confidence level: 50%) | |
hash21 | Agent Tesla botnet C2 server (confidence level: 50%) | |
hash8443 | Meterpreter botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2086 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8008 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash6513 | Remcos botnet C2 server (confidence level: 100%) | |
hash80 | Remcos botnet C2 server (confidence level: 100%) | |
hash2427 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Nimplant botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash10001 | Xtreme RAT botnet C2 server (confidence level: 50%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 50%) | |
hash443 | Kimsuky botnet C2 server (confidence level: 50%) | |
hash9205 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash45682 | Remcos botnet C2 server (confidence level: 50%) | |
hash9908 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8000 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6001 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8081 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash9009 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash8990 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash7777 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash2427 | NjRAT botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Poseidon Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash7878 | Havoc botnet C2 server (confidence level: 100%) | |
hash80 | Brute Ratel C4 botnet C2 server (confidence level: 100%) | |
hash80 | Chaos botnet C2 server (confidence level: 100%) | |
hash54681 | Chaos botnet C2 server (confidence level: 100%) | |
hash995 | QakBot botnet C2 server (confidence level: 75%) | |
hash87 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash6666 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://topguningit.com/test/ | Latrodectus botnet C2 (confidence level: 100%) | |
urlhttps://lofiramegi.com/test/ | Latrodectus botnet C2 (confidence level: 100%) | |
urlhttp://154.198.50.83:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://176.65.144.114:50555/ | Hook botnet C2 (confidence level: 50%) | |
urlhttp://103.116.8.240:50555/ | Hook botnet C2 (confidence level: 50%) | |
urlhttps://pastebin.com/raw/r9a1gjxb | XWorm botnet C2 (confidence level: 50%) | |
urlhttps://egirlcam.com/ | Quasar RAT payload delivery URL (confidence level: 50%) | |
urlhttp://odyssey-st.com/ | Unknown malware botnet C2 (confidence level: 50%) | |
urlhttp://61.3.26.117:55159/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttps://login.mexc-signin.kro.kr | Kimsuky botnet C2 (confidence level: 50%) | |
urlhttp://212194cm.nyashware.ru/phppacketmultibaseuniversaltrackuploadsdownloads.php | DCRat botnet C2 (confidence level: 100%) |
Threat ID: 682c7db1e8347ec82d29ed51
Added to database: 5/20/2025, 1:03:45 PM
Last enriched: 6/19/2025, 3:31:53 PM
Last updated: 8/8/2025, 7:15:26 AM
Views: 11
Related Threats
On Going Malvertising Attack Spreads New Crypto Stealing PS1Bot Malware
MediumA Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode
MediumPhantomCard: New NFC-driven Android malware emerging in Brazil
MediumThreatFox IOCs for 2025-08-13
MediumEfimer Trojan Steals Crypto, Hacks WordPress Sites via Torrents and Phishing
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.