ThreatFox IOC Database
You are viewing the ThreatFox database entry for ip:port 45.61.128.164:56003.
Database Entry
| IOC ID: | 1815106 |
|---|---|
| IOC: | 45.61.128.164:56003 |
| IOC Type : | ip:port |
| Threat Type : | botnet_cc |
| Malware: | PureRAT |
| Malware alias: | PureHVNC, ResolverRAT |
| Confidence Level : | Confidence level is high (100%) |
| Is compromised? : | False |
| ASN: | AS14956 ROUTERHOSTING |
| Country: |  IR |
| First seen: | 2026-05-17 05:49:53 UTC |
| Last seen: | never |
| UUID: | c3e96fb9-5088-11f1-b930-42010aa4000a |
| Reporter | Anonymous |
| Reward | 5 credits from ThreatFox |
| Tags: | cvtres-injection LoneNone PureRAT PXAStealer Verymuchxbot Vietnamese |
| Reference: | https://www.huntress.com/blog/purerat-threat-actor-evolution |
Anonymous
Active PureRAT C2 verified via direct TCP connectivity test fromclean network on 2026-05-15 (port 56001 returns SYN-ACK; reverse
DNS: 164.128.61.45.static.cloudzy.com).
Sample analysis in isolated VM (Windows Server 2022) confirmed:
- Loader: PXA Stealer variant (Python obfuscated, drops in
C:\Users\Public\WindowsSecure\)
- Persistence: cmd /c start svchost.exe Lib\image Verymuchxbot Admin
- Final stage: PureRAT injected into cvtres.exe (process hollowing)
- C2 connection initiated by injected cvtres.exe PID, verified via
netstat ESTABLISHED to 45.61.128.164:56001
Attribution artifacts (consistent with prior Vietnamese-cluster
attribution by Huntress, Microsoft DEX, SentinelLABS, CyberProof):
- Vietnamese-language strings in code (curse words as identifiers)
- Marker "_ngocuyen" in obfuscated strings
- Function names: dmnbase64, vaichuongcacem, manhvay,
deptraicogisai6
- Anti-decompiler junk targeting Morphisec researchers
Hosting provider Cloudzy notified 2026-05-15 via abuse@cloudzy.com;
acknowledgment received but C2 remains live at time of submission.
Sample (PXA loader Python script) detection on VirusTotal: 4/63
(trojan.pyobf signature, Sophos: Troj/PyObf-A).