ThreatFox IOC Database
You are viewing the ThreatFox database entry for ip:port 64.40.154.72:56001.
Database Entry
| IOC ID: | 1740712 |
|---|---|
| IOC: | 64.40.154.72:56001 |
| IOC Type : | ip:port |
| Threat Type : | botnet_cc |
| Malware: | PXA Stealer |
| Malware alias: | PXAStealer, PXA |
| Confidence Level : | Confidence level is high (100%) |
| Is compromised? : | False |
| ASN: | AS397423 TIER-NET |
| Country: |  US |
| First seen: | 2026-02-03 10:17:59 UTC |
| Last seen: | never |
| UUID: | 6f1577f7-00e4-11f1-ac94-42010aa4000a |
| Reporter |  ghost30 |
| Reward | 5 credits from ThreatFox |
ghost30
Hello,Following an attempted infection of one of our workstations, we observed active command and control activity originating from IP address 60.40.154.72 on TCP port 56001 while running the malicious payload in a sandbox environment.
The server establishes TLS connections using a self-signed certificate (CN: Bdaklaui, with an abnormal validity period extending to the year 10000) and exchanges encrypted application data without using the HTTP protocol.
The server sends commands immediately after establishing the TLS connection and receives significant amounts of encrypted data from the infected hosts, consistent with command and control behavior and data exfiltration.
This activity was observed on January 30, 2026 (UTC).
We can provide packet captures and certificate fingerprints upon request.