ThreatFox IOCs for 2025-06-22
ThreatFox IOCs for 2025-06-22
AI Analysis
Technical Summary
The provided threat intelligence pertains to a malware-related report titled "ThreatFox IOCs for 2025-06-22," sourced from the ThreatFox MISP Feed. The threat is categorized under OSINT (Open Source Intelligence), network activity, and payload delivery, indicating that it involves the collection or use of publicly available information to facilitate malicious payload distribution over networks. However, the technical details are limited, with no specific affected product versions or detailed indicators of compromise (IOCs) provided. The threat level is rated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting moderate dissemination but limited analytical depth. No known exploits in the wild or available patches exist, and no CWE (Common Weakness Enumeration) identifiers are associated, implying that this is either a newly observed threat or one that leverages generic OSINT techniques rather than exploiting specific software vulnerabilities. The absence of authentication or user interaction requirements is not explicitly stated, but given the nature of OSINT and network-based payload delivery, some level of user or system interaction may be necessary for successful exploitation. Overall, this threat appears to be a medium-severity malware campaign leveraging OSINT for payload delivery, but with limited technical specifics available for deeper forensic or defensive analysis.
Potential Impact
For European organizations, the impact of this threat could manifest primarily through the compromise of networked systems via payload delivery mechanisms informed by OSINT. This could lead to unauthorized access, data exfiltration, or disruption of services depending on the payload's nature. Given the medium severity and lack of known exploits, immediate widespread disruption is unlikely; however, targeted attacks could leverage this threat to gain footholds in critical infrastructure, corporate networks, or government systems. The use of OSINT suggests attackers may be tailoring payloads based on publicly available information about targets, increasing the risk for organizations with significant online exposure or those operating in sectors with high-value data. The absence of patches and the lack of detailed IOCs complicate detection and response efforts, potentially allowing attackers to operate undetected for longer periods. European entities with extensive networked environments and reliance on open-source intelligence for threat modeling should be particularly vigilant.
Mitigation Recommendations
Given the limited technical details and absence of patches, mitigation should focus on enhancing network monitoring and threat detection capabilities. Organizations should implement advanced network traffic analysis tools capable of identifying anomalous payload delivery patterns, especially those informed by OSINT-derived tactics. Employing threat intelligence sharing platforms to gather updated IOCs and behavioral indicators related to this threat will improve situational awareness. Network segmentation and strict access controls can limit lateral movement if a payload is successfully delivered. Additionally, organizations should conduct regular OSINT assessments on their digital footprint to understand what information is publicly available that could be leveraged by attackers. Employee training on recognizing phishing or social engineering attempts tied to OSINT-derived campaigns will reduce the risk of initial compromise. Finally, deploying endpoint detection and response (EDR) solutions with heuristic and behavioral analysis can help identify and contain unknown malware variants associated with this threat.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- domain: ns1.basicvitals.com
- file: 147.45.45.156
- hash: 51000
- url: http://147.45.45.156:51000/challenge
- url: http://147.45.45.156:51000/fetch
- url: https://147.45.45.156/
- url: https://147.45.45.156:51000/fetch
- url: https://147.45.45.156:51000/challenge
- domain: security.gyredoflzares.com
- domain: gowqpaz.com
- url: https://gowqpaz.com/shield.msi
- domain: test.manageenglne.com
- file: 196.251.117.41
- hash: 80
- file: 157.230.218.246
- hash: 80
- file: 77.73.131.91
- hash: 9000
- file: 154.61.80.43
- hash: 80
- file: 185.72.199.116
- hash: 1717
- file: 179.113.39.3
- hash: 7000
- file: 204.13.236.238
- hash: 4449
- file: 102.46.109.60
- hash: 4445
- file: 23.94.99.5
- hash: 8848
- file: 54.154.145.60
- hash: 8090
- file: 104.21.84.25
- hash: 2096
- domain: ecs-113-44-139-80.compute.hwclouds-dns.com
- file: 119.45.160.154
- hash: 8888
- file: 89.23.97.45
- hash: 8808
- file: 196.251.83.225
- hash: 2222
- domain: elgg.santutxuht.eus
- file: 45.95.42.238
- hash: 80
- file: 83.7.213.183
- hash: 443
- file: 15.160.201.4
- hash: 7443
- file: 15.157.63.71
- hash: 1962
- file: 89.42.88.254
- hash: 80
- file: 120.76.243.150
- hash: 60000
- file: 34.234.147.190
- hash: 443
- file: 20.160.219.70
- hash: 3333
- file: 138.68.140.60
- hash: 3333
- file: 194.233.66.58
- hash: 3333
- file: 16.171.15.154
- hash: 3333
- file: 109.70.24.35
- hash: 3333
- file: 13.210.249.235
- hash: 8080
- file: 185.105.109.98
- hash: 8088
- file: 138.68.146.199
- hash: 3333
- file: 107.161.154.83
- hash: 8080
- file: 49.234.190.156
- hash: 801
- file: 47.105.65.102
- hash: 5555
- file: 122.164.178.173
- hash: 80
- file: 90.132.217.39
- hash: 80
- file: 129.204.103.151
- hash: 8081
- file: 47.238.234.146
- hash: 4444
- url: https://vuelaviajero.com/wp-includes/images/belashrt.php
- url: https://www.vuelaviajero.com/wp-includes/images/belashrt.php
- url: https://vuelaviajero.com/wp-includes/images/berylinewh.php
- url: https://www.vuelaviajero.com/wp-includes/images/berylinewh.php
- url: http://89.36.231.26/sempstrywork.php
- url: http://89.36.231.26/index.php
- file: 176.96.131.92
- hash: 5683
- file: 193.239.237.85
- hash: 443
- url: https://throwfree.com/auth
- file: 90.132.217.39
- hash: 443
- file: 117.72.193.96
- hash: 443
- file: 23.226.54.31
- hash: 8043
- file: 31.220.43.248
- hash: 443
- file: 208.91.189.183
- hash: 42422
- file: 34.55.163.144
- hash: 7443
- file: 45.95.42.238
- hash: 8089
- domain: www.dulcidora.com.br
- domain: justhk.saoken.me
- file: 216.9.225.45
- hash: 8987
- domain: trezor-io-start.typedream.app
- file: 118.253.172.111
- hash: 4506
- file: 185.117.91.4
- hash: 443
- file: 70.31.125.34
- hash: 2078
- file: 173.249.29.108
- hash: 1452
- file: 173.249.29.108
- hash: 4145
- file: 185.55.240.111
- hash: 4449
- domain: regional-evaluate.gl.at.ply.gg
- domain: de5.localto.net
- file: 103.105.103.3
- hash: 80
- file: 124.220.205.147
- hash: 80
- file: 114.55.43.55
- hash: 8443
- file: 107.174.127.172
- hash: 8080
- file: 107.174.127.172
- hash: 23456
- file: 172.81.130.46
- hash: 8808
- file: 194.180.48.186
- hash: 4444
- file: 57.155.89.101
- hash: 443
- file: 51.38.137.98
- hash: 80
- file: 172.236.140.140
- hash: 3333
- file: 85.9.206.45
- hash: 8000
- file: 43.156.15.56
- hash: 4321
- domain: waohsfs-48136.portmap.io
- domain: season-clothes.gl.at.ply.gg
- domain: asasas44-58548.portmap.io
- domain: myhost5.ddns.net
- domain: hackblue.zapto.org
- file: 124.70.219.41
- hash: 7070
- file: 45.141.151.174
- hash: 1604
- domain: snezze-27701.portmap.io
- domain: holycrappycrap.no-ip.org
- domain: b1.cornmealjustly.lat
- file: 45.153.34.229
- hash: 443
- file: 154.222.31.14
- hash: 8808
- file: 185.149.146.41
- hash: 14431
- file: 139.28.219.36
- hash: 54872
- file: 196.251.70.128
- hash: 2404
- file: 185.208.158.175
- hash: 2973
- file: 193.56.135.167
- hash: 9373
- file: 216.9.224.215
- hash: 2080
- file: 196.251.83.251
- hash: 2404
- file: 91.199.42.144
- hash: 2404
- file: 213.209.143.110
- hash: 2404
- file: 79.110.49.116
- hash: 2404
- file: 196.251.83.225
- hash: 8888
- file: 185.156.72.11
- hash: 9000
- file: 34.61.138.114
- hash: 443
- file: 82.153.138.236
- hash: 7443
- file: 20.195.8.103
- hash: 443
- file: 157.230.38.27
- hash: 13337
- domain: panel333222111.icu
- file: 134.199.192.154
- hash: 23
- file: 185.208.158.168
- hash: 4321
- domain: espinyskibidi-40205.portmap.host
- domain: johncollins55-29335.portmap.io
- file: 103.82.21.119
- hash: 4782
- file: 45.91.202.249
- hash: 80
- url: http://45.91.202.249/4d508511aa6b4a4e.php
- file: 178.236.252.126
- hash: 80
- url: http://178.236.252.126/d1efdd996aae4f49.php
- file: 43.250.174.49
- hash: 8848
- file: 119.91.227.214
- hash: 443
- file: 115.159.125.103
- hash: 8080
- file: 101.34.83.159
- hash: 888
- file: 102.96.148.134
- hash: 443
- file: 18.130.226.244
- hash: 18244
- file: 43.209.3.230
- hash: 3306
- file: 103.69.194.85
- hash: 8888
- file: 159.0.2.127
- hash: 443
- file: 167.250.204.162
- hash: 60000
- file: 3.31.175.167
- hash: 443
- file: 34.203.174.32
- hash: 443
- domain: ns1.ns.xiaotusu.top
- domain: ns2.ns.xiaotusu.top
- domain: sp.b0t.me
- file: 104.248.16.75
- hash: 53
- file: 119.8.124.29
- hash: 53
- domain: 1357965137-bafd04zr1t.ap-guangzhou.tencentscf.com
- domain: fazstpgnpnqb0.cfc-execute.bj.baidubce.com
- file: 8.218.77.224
- hash: 9081
ThreatFox IOCs for 2025-06-22
Description
ThreatFox IOCs for 2025-06-22
AI-Powered Analysis
Technical Analysis
The provided threat intelligence pertains to a malware-related report titled "ThreatFox IOCs for 2025-06-22," sourced from the ThreatFox MISP Feed. The threat is categorized under OSINT (Open Source Intelligence), network activity, and payload delivery, indicating that it involves the collection or use of publicly available information to facilitate malicious payload distribution over networks. However, the technical details are limited, with no specific affected product versions or detailed indicators of compromise (IOCs) provided. The threat level is rated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting moderate dissemination but limited analytical depth. No known exploits in the wild or available patches exist, and no CWE (Common Weakness Enumeration) identifiers are associated, implying that this is either a newly observed threat or one that leverages generic OSINT techniques rather than exploiting specific software vulnerabilities. The absence of authentication or user interaction requirements is not explicitly stated, but given the nature of OSINT and network-based payload delivery, some level of user or system interaction may be necessary for successful exploitation. Overall, this threat appears to be a medium-severity malware campaign leveraging OSINT for payload delivery, but with limited technical specifics available for deeper forensic or defensive analysis.
Potential Impact
For European organizations, the impact of this threat could manifest primarily through the compromise of networked systems via payload delivery mechanisms informed by OSINT. This could lead to unauthorized access, data exfiltration, or disruption of services depending on the payload's nature. Given the medium severity and lack of known exploits, immediate widespread disruption is unlikely; however, targeted attacks could leverage this threat to gain footholds in critical infrastructure, corporate networks, or government systems. The use of OSINT suggests attackers may be tailoring payloads based on publicly available information about targets, increasing the risk for organizations with significant online exposure or those operating in sectors with high-value data. The absence of patches and the lack of detailed IOCs complicate detection and response efforts, potentially allowing attackers to operate undetected for longer periods. European entities with extensive networked environments and reliance on open-source intelligence for threat modeling should be particularly vigilant.
Mitigation Recommendations
Given the limited technical details and absence of patches, mitigation should focus on enhancing network monitoring and threat detection capabilities. Organizations should implement advanced network traffic analysis tools capable of identifying anomalous payload delivery patterns, especially those informed by OSINT-derived tactics. Employing threat intelligence sharing platforms to gather updated IOCs and behavioral indicators related to this threat will improve situational awareness. Network segmentation and strict access controls can limit lateral movement if a payload is successfully delivered. Additionally, organizations should conduct regular OSINT assessments on their digital footprint to understand what information is publicly available that could be leveraged by attackers. Employee training on recognizing phishing or social engineering attempts tied to OSINT-derived campaigns will reduce the risk of initial compromise. Finally, deploying endpoint detection and response (EDR) solutions with heuristic and behavioral analysis can help identify and contain unknown malware variants associated with this threat.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 9247a1c9-d356-4436-9e99-057c5d3b89f1
- Original Timestamp
- 1750636986
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainns1.basicvitals.com | Brute Ratel C4 botnet C2 domain (confidence level: 100%) | |
domainsecurity.gyredoflzares.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domaingowqpaz.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domaintest.manageenglne.com | Unknown Loader payload delivery domain (confidence level: 90%) | |
domainecs-113-44-139-80.compute.hwclouds-dns.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainelgg.santutxuht.eus | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainwww.dulcidora.com.br | Havoc botnet C2 domain (confidence level: 100%) | |
domainjusthk.saoken.me | Unknown malware botnet C2 domain (confidence level: 100%) | |
domaintrezor-io-start.typedream.app | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainregional-evaluate.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 100%) | |
domainde5.localto.net | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainwaohsfs-48136.portmap.io | XWorm botnet C2 domain (confidence level: 100%) | |
domainseason-clothes.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 100%) | |
domainasasas44-58548.portmap.io | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainmyhost5.ddns.net | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainhackblue.zapto.org | DarkComet botnet C2 domain (confidence level: 100%) | |
domainsnezze-27701.portmap.io | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainholycrappycrap.no-ip.org | DarkComet botnet C2 domain (confidence level: 100%) | |
domainb1.cornmealjustly.lat | ACR Stealer botnet C2 domain (confidence level: 100%) | |
domainpanel333222111.icu | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainespinyskibidi-40205.portmap.host | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainjohncollins55-29335.portmap.io | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainns1.ns.xiaotusu.top | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainns2.ns.xiaotusu.top | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainsp.b0t.me | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domain1357965137-bafd04zr1t.ap-guangzhou.tencentscf.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainfazstpgnpnqb0.cfc-execute.bj.baidubce.com | Cobalt Strike botnet C2 domain (confidence level: 75%) |
File
| Value | Description | Copy |
|---|---|---|
file147.45.45.156 | Havoc botnet C2 server (confidence level: 100%) | |
file196.251.117.41 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file157.230.218.246 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file77.73.131.91 | SectopRAT botnet C2 server (confidence level: 100%) | |
file154.61.80.43 | Hook botnet C2 server (confidence level: 100%) | |
file185.72.199.116 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file179.113.39.3 | Venom RAT botnet C2 server (confidence level: 100%) | |
file204.13.236.238 | Venom RAT botnet C2 server (confidence level: 100%) | |
file102.46.109.60 | DCRat botnet C2 server (confidence level: 100%) | |
file23.94.99.5 | DCRat botnet C2 server (confidence level: 100%) | |
file54.154.145.60 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file104.21.84.25 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file119.45.160.154 | Unknown malware botnet C2 server (confidence level: 100%) | |
file89.23.97.45 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file196.251.83.225 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.95.42.238 | Hook botnet C2 server (confidence level: 100%) | |
file83.7.213.183 | Havoc botnet C2 server (confidence level: 100%) | |
file15.160.201.4 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file15.157.63.71 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file89.42.88.254 | MooBot botnet C2 server (confidence level: 100%) | |
file120.76.243.150 | Unknown malware botnet C2 server (confidence level: 100%) | |
file34.234.147.190 | Unknown malware botnet C2 server (confidence level: 100%) | |
file20.160.219.70 | Unknown malware botnet C2 server (confidence level: 100%) | |
file138.68.140.60 | Unknown malware botnet C2 server (confidence level: 100%) | |
file194.233.66.58 | Unknown malware botnet C2 server (confidence level: 100%) | |
file16.171.15.154 | Unknown malware botnet C2 server (confidence level: 100%) | |
file109.70.24.35 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.210.249.235 | Unknown malware botnet C2 server (confidence level: 100%) | |
file185.105.109.98 | Unknown malware botnet C2 server (confidence level: 100%) | |
file138.68.146.199 | Unknown malware botnet C2 server (confidence level: 100%) | |
file107.161.154.83 | BianLian botnet C2 server (confidence level: 100%) | |
file49.234.190.156 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.105.65.102 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file122.164.178.173 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file90.132.217.39 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file129.204.103.151 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.238.234.146 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file176.96.131.92 | Mirai botnet C2 server (confidence level: 75%) | |
file193.239.237.85 | Unknown Loader botnet C2 server (confidence level: 75%) | |
file90.132.217.39 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file117.72.193.96 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.226.54.31 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file31.220.43.248 | Sliver botnet C2 server (confidence level: 100%) | |
file208.91.189.183 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file34.55.163.144 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.95.42.238 | Hook botnet C2 server (confidence level: 100%) | |
file216.9.225.45 | Remcos botnet C2 server (confidence level: 75%) | |
file118.253.172.111 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file185.117.91.4 | Eye Pyramid botnet C2 server (confidence level: 75%) | |
file70.31.125.34 | QakBot botnet C2 server (confidence level: 75%) | |
file173.249.29.108 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file173.249.29.108 | XWorm botnet C2 server (confidence level: 100%) | |
file185.55.240.111 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file103.105.103.3 | Meterpreter botnet C2 server (confidence level: 75%) | |
file124.220.205.147 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file114.55.43.55 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file107.174.127.172 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file107.174.127.172 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file172.81.130.46 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file194.180.48.186 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file57.155.89.101 | Unknown malware botnet C2 server (confidence level: 100%) | |
file51.38.137.98 | MooBot botnet C2 server (confidence level: 100%) | |
file172.236.140.140 | Unknown malware botnet C2 server (confidence level: 100%) | |
file85.9.206.45 | MimiKatz botnet C2 server (confidence level: 100%) | |
file43.156.15.56 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
file124.70.219.41 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file45.141.151.174 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file45.153.34.229 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
file154.222.31.14 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.149.146.41 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
file139.28.219.36 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.70.128 | Remcos botnet C2 server (confidence level: 100%) | |
file185.208.158.175 | Remcos botnet C2 server (confidence level: 100%) | |
file193.56.135.167 | Remcos botnet C2 server (confidence level: 100%) | |
file216.9.224.215 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.83.251 | Remcos botnet C2 server (confidence level: 100%) | |
file91.199.42.144 | Remcos botnet C2 server (confidence level: 100%) | |
file213.209.143.110 | Remcos botnet C2 server (confidence level: 100%) | |
file79.110.49.116 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.83.225 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.156.72.11 | SectopRAT botnet C2 server (confidence level: 100%) | |
file34.61.138.114 | Unknown malware botnet C2 server (confidence level: 100%) | |
file82.153.138.236 | Unknown malware botnet C2 server (confidence level: 100%) | |
file20.195.8.103 | Unknown malware botnet C2 server (confidence level: 100%) | |
file157.230.38.27 | Havoc botnet C2 server (confidence level: 100%) | |
file134.199.192.154 | Bashlite botnet C2 server (confidence level: 100%) | |
file185.208.158.168 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
file103.82.21.119 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file45.91.202.249 | Stealc botnet C2 server (confidence level: 100%) | |
file178.236.252.126 | Stealc botnet C2 server (confidence level: 100%) | |
file43.250.174.49 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file119.91.227.214 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file115.159.125.103 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file101.34.83.159 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file102.96.148.134 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.130.226.244 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file43.209.3.230 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file103.69.194.85 | Sliver botnet C2 server (confidence level: 75%) | |
file159.0.2.127 | QakBot botnet C2 server (confidence level: 75%) | |
file167.250.204.162 | Unknown malware botnet C2 server (confidence level: 75%) | |
file3.31.175.167 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file34.203.174.32 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file104.248.16.75 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file119.8.124.29 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file8.218.77.224 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash51000 | Havoc botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash1717 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash7000 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash4449 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash4445 | DCRat botnet C2 server (confidence level: 100%) | |
hash8848 | DCRat botnet C2 server (confidence level: 100%) | |
hash8090 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash2096 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2222 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash7443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash1962 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | BianLian botnet C2 server (confidence level: 100%) | |
hash801 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash5555 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8081 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash5683 | Mirai botnet C2 server (confidence level: 75%) | |
hash443 | Unknown Loader botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8043 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash42422 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash8987 | Remcos botnet C2 server (confidence level: 75%) | |
hash4506 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | Eye Pyramid botnet C2 server (confidence level: 75%) | |
hash2078 | QakBot botnet C2 server (confidence level: 75%) | |
hash1452 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash4145 | XWorm botnet C2 server (confidence level: 100%) | |
hash4449 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Meterpreter botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash23456 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash4444 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8000 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash4321 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
hash7070 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash1604 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash443 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
hash8808 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash14431 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
hash54872 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2973 | Remcos botnet C2 server (confidence level: 100%) | |
hash9373 | Remcos botnet C2 server (confidence level: 100%) | |
hash2080 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash8888 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash13337 | Havoc botnet C2 server (confidence level: 100%) | |
hash23 | Bashlite botnet C2 server (confidence level: 100%) | |
hash4321 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Stealc botnet C2 server (confidence level: 100%) | |
hash80 | Stealc botnet C2 server (confidence level: 100%) | |
hash8848 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash888 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash18244 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash3306 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash8888 | Sliver botnet C2 server (confidence level: 75%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash9081 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://147.45.45.156:51000/challenge | Havoc botnet C2 (confidence level: 100%) | |
urlhttp://147.45.45.156:51000/fetch | Havoc botnet C2 (confidence level: 100%) | |
urlhttps://147.45.45.156/ | Havoc botnet C2 (confidence level: 100%) | |
urlhttps://147.45.45.156:51000/fetch | Havoc botnet C2 (confidence level: 100%) | |
urlhttps://147.45.45.156:51000/challenge | Havoc botnet C2 (confidence level: 100%) | |
urlhttps://gowqpaz.com/shield.msi | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://vuelaviajero.com/wp-includes/images/belashrt.php | Koi Loader botnet C2 (confidence level: 100%) | |
urlhttps://www.vuelaviajero.com/wp-includes/images/belashrt.php | Koi Loader botnet C2 (confidence level: 100%) | |
urlhttps://vuelaviajero.com/wp-includes/images/berylinewh.php | Koi Loader botnet C2 (confidence level: 100%) | |
urlhttps://www.vuelaviajero.com/wp-includes/images/berylinewh.php | Koi Loader botnet C2 (confidence level: 100%) | |
urlhttp://89.36.231.26/sempstrywork.php | Koi Stealer botnet C2 (confidence level: 100%) | |
urlhttp://89.36.231.26/index.php | Koi Stealer botnet C2 (confidence level: 100%) | |
urlhttps://throwfree.com/auth | Unknown Loader botnet C2 (confidence level: 100%) | |
urlhttp://45.91.202.249/4d508511aa6b4a4e.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://178.236.252.126/d1efdd996aae4f49.php | Stealc botnet C2 (confidence level: 100%) |
Threat ID: 68589d8b179a4edd60b5bfb6
Added to database: 6/23/2025, 12:19:23 AM
Last enriched: 6/23/2025, 12:20:00 AM
Last updated: 8/12/2025, 2:51:00 AM
Views: 34
Related Threats
ThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.