ThreatFox IOC Database

You are viewing the ThreatFox database entry for url https://devltd.us/flomos1.zip.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1831715
IOC: https://devltd.us/flomos1.zip
IOC Type :url
Threat Type :payload_delivery
Malware: Unknown malware
Confidence Level : Confidence level is high (100%)
Is compromised? : False
ASN:AS13335 CLOUDFLARENET
Country:- US
First seen:2026-06-13 15:05:31 UTC
Last seen:never
UUID:4e343f71-670b-11f1-9e0e-42010aa4000a
Reporter Decio1
Reward 5 credits from ThreatFox

Avatar
Decio1
Second-stage payload URL extracted from Joe Sandbox execution of the ClearFake PowerShell chain. The dropped PowerShell script downloads https://devltd.us/flomos1.zip to %TEMP%\file.zip, extracts it to %LOCALAPPDATA%\ExFiles, and starts %LOCALAPPDATA%\ExFiles\flomo.exe. Final malware family not confirmed by the available report.