ThreatFox IOC Database

You are viewing the ThreatFox database entry for ip:port 91.92.243.111:8041.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1801916
IOC: 91.92.243.111:8041
IOC Type :ip:port
Threat Type :botnet_cc
Malware: RemoteAdmin
Confidence Level : Confidence level is high (100%)
Is compromised? : False
ASN:AS202412 OMEGATECH-AS
Country:- GB
First seen:2026-04-29 07:49:20 UTC
Last seen:never
UUID:ce58de8b-4375-11f1-8759-42010aa4000a
Reporter SamTheRuby
Reward 5 credits from ThreatFox
Tags:ConnectWise fiscal-lure Flyservers port-8041 RAT RMM-abuse ScreenConnect
Reference: https://any.run/report/8d2e7a0ef5bd863c2052108bfb8ff0b289be633f8d2f5cf8ba12c23389117869/2fe0c237-8042-45bc-9ff5-3f228131f17a

Avatar
SamTheRuby
Self-hosted ScreenConnect RAT C2. Delivered via fake fiscal document lure (2025FISCALSTATEMENTS.exe) from filebin.net. ScreenConnect.ClientService.exe installed as SYSTEM service beaconing to this IP:port. Session GUID: 21e80b9d-97db-46bd-a084-e3247764e6fe. Client GUID: c26bd864ce80bf33. Campaign tag: "10th". UAC bypass via CMSTPLUA COM elevation. Sandbox confirmed active C2 traffic with 30 Suricata alerts. Hosted on FlyServers ASN 209588, Bulgaria.