ThreatFox IOC Database

You are viewing the ThreatFox database entry for ip:port 20.206.126.228:55516.

Database Entry

This IOC expired

This IOC is an old IOC and hence has expired on 2026-06-16 01:15:01 UTC. We therefore refrain from exporting it into our datasets. As a result, this database entry is purely informational and has no impact.

IOC ID:	237388
IOC:	20.206.126.228:55516
IOC Type :	ip:port
Threat Type :	botnet_cc
Malware:	Metamorfo
Malware alias:	Casbaneiro
Confidence Level :	Confidence level is high (100%)
Is compromised? :	False
ASN:	AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
Country:	US
First seen:	2021-10-25 15:41:30 UTC
Last seen:	never
UUID:	06232033-35aa-11ec-a35f-42010aa4000a
Reporter	AndreGironda
Reward	5 credits from ThreatFox
Tags:	banload Culebra mekotio Metamorfo msi
Reference:	https://bazaar.abuse.ch/sample/951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f/

AndreGironda

MITRE T1566.001
Date: Mon, 25 Oct 2021 00:00-00:30 +0000 (UTC)
Received: from f79.user-online01.com (52.243.78.50)
content-type: text/html
Subject: ✅ <removed>, Pix Recebido com Sucesso- - ID:914767914767
From: BCO-CENTRAL <gerencia-central86236@f79.user-online01.com>
Message-Id: <20211025002820.F02423FB76@f79.user-online01.com>
Return-Path: root@f79.user-online01.com
Malicious URL: hXXps://res.cloudinary[.]com/dpxbbemsn/raw/upload/v1634858510/chegouseupix_d2av9g.html
Microsoft Installer Name: FORM_PIX XJTVCZG.msi
Metamorfo MSI SHA256: 951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f
Unpacked DLL 1 SHA256: 23179a9183cb0c0d3e10bfbf6edd5b1d92244ea1ae3120bb008ac09cea59b217
Unpacked Banload DLL 2 SHA256: 5b6cdda58dabeb641d45086144e3b2e92ae1ba2c7a10cfdb4c6db09ca971d45b
Unpacked (Acts like Nanocore or Ramnit) Executable SHA256: 35a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a
Stage 1 URL: hXXp://ec2-18-231-149-132.sa-east-1.compute.amazonaws[.]com/mod2.zip
Stage 2 URL: hXXps://759c87514850247c.s3.us-east-2.amazonaws[.]com/0321F9132EC97FDC5EE532FF.zip
Stage 3 URL: hXXps://unterteks.eastus2.cloudapp.azure[.]com/gbuster/barman.php
Stage 4 URL: hXXps://pspentregasonline[.]com/cor/amarelo.txt
Stage 1 Zipfile Name: mod2.zip
Stage 1 Zipfile SHA256: e44b18cfc6e3ae2e161f1c5bf59716754f734a48b8cda07e42f32bc55bc07a4f
Unzipped DLL Name: rqvufRfLLN.dll
Culebra Variant DLL SHA256: 2f8b16754738ee4c6bbc63da55e8162f75906b62991081b81e8ca24552123025
Unpacked Culebra Variant DLL SHA256: e6bf7bc4b7f5235a307f5253ef3595d8aa50fefcfdb141d0e75c108676a584cd