ThreatFox IOC Database
You are viewing the ThreatFox database entry for url https://23.160.193.12/client/maintenance.
Database Entry
This IOC expired
This IOC is an old IOC and hence has expired on 2026-06-14 01:15:01 UTC. We therefore refrain from exporting it into our datasets. As a result, this database entry is purely informational and has no impact.
| IOC ID: | 342345 |
|---|---|
| IOC: | https://23.160.193.12/client/maintenance |
| IOC Type : | url |
| Threat Type : | botnet_cc |
| Malware: | BazarBackdoor |
| Malware alias: | BEERBOT, KEGTAP, Team9Backdoor, bazaloader, bazarloader |
| Confidence Level : | Confidence level is high (100%) |
| Is compromised? : | False |
| ASN: | AS397270 NETINF-TRANSIT-AS |
| Country: |  US |
| First seen: | 2022-01-26 17:57:33 UTC |
| Last seen: | never |
| UUID: | 6feeb3db-7ed1-11ec-a824-42010aa4000a |
| Reporter |  AndreGironda |
| Reward | 5 credits from ThreatFox |
| Tags: | bazaloader password-dt2601 TA571 xll |
| Reference: | https://tria.ge/220126-vx752sfgdn |
AndreGironda
MITRE T1566.002Date: Wed, 26 Jan 2022 18:00-18:30 +0100
Received: from cp5.ulimitserver.com ([194.146.59.69])
Subject: Re: Full loop PFT in under 3 minutes, anytime, anywhere.
X-PHP-Script: www.folklorika.rs/wp-content/plugins/wp-roilbask/includes/class-send.php for 41.1.84.198
X-PHP-Filename: /home/folklorikars/public_html/wp-content/plugins/wp-roilbask/includes/class-send.php REMOTE_ADDR: 41.1.84.198
MIME-Version: 1.0
Content-Type: multipart/alternative;boundary=c68c001a9f4e444ef5be16c3561ca9d8
From: Wendy Stevens <WendyStevens@www.folklorika.rs>
Reply-To: WendyStevens@www.folklorika.rs
Message-Id: <E1nCluc-000099-2U@cp5.ulimitserver.com>
X-mCloud-MailScanner: Found to be clean, Found to be clean
X-mCloud-MailScanner-SpamCheck:
X-Authenticated-Sender: cp5.ulimitserver.com: WendyStevens@www.folklorika.rs
X-mCloud-MailScanner-Information: Please contact the ISP for more information
X-mCloud-MailScanner-ID: 1nCluh-0004WN-Mc
X-mCloud-MailScanner-SpamScore: s
X-mCloud-MailScanner-From: folklorikars@cp5.ulimitserver.com
Return-Path: folklorikars@cp5.ulimitserver.com
Message Body URL: hXXps://1drv[.]ms/u/s!Au3LP5cK1PEodtDzquT4JatcRNA?e=b24tjD
URL Plant Zipfile Name: DBDESRCD_FfSIg3.zip
Zipfile SHA256: 25edcdda4d352d83ef7ea4431288311e48aaa4a56d8f57250e3ff074f269abd4
Zipfile Password -- dt2601
Unzipped XLL Name: DOCUMENT[2022.01.26_15-59].xll
XLL SHA256: 6abb77c063ddec44aeecb57c1c3b782438dbc585b0ad38eb008bd434cc78407e
rundll32 C:\Users\Admin\ClangCompileG.dll , vchuudsa
DLL Name: ClangCompileG.dll
BazaLoader DLL SHA256: 9464bad22eb2dabac99cc6f14474cb1d4def6cebe10b6d2de6d2428495d776a1
--
MITRE T1566.002
Date: Wed, 26 Jan 2022 18:00-18:30i +0100 (CET)
Received: from cluster023.hosting.ovh.net (gwc.cluster023.hosting.ovh.net [91.134.248.235])
Subject: Re: Support California Animalse
MIME-Version: 1.0
Content-Type: multipart/alternative;boundary=5a15e3b9f2473e0d151391cb00d263ba
From: ZooMedia.org <ZooMedia.org@furcom.fr>
Reply-To: ZooMedia.org@furcom.fr
Message-Id: <20220126171623.20E0160E60@cluster023.hosting.ovh.net>
X-Ovh-Tracer-Id: 9360450351274537568
Return-Path: bounce-id=D026=U29420.cluster023.ovh.net=1643217383.88-M8I6K@mail-out.cluster023.hosting.ovh.net
Message Body URL: hXXps://1drv[.]ms/u/s!AgnE7zI2CMAJcPa-4oQhYt8gzZM?e=SVIjEK
URL Plant Zipfile Name: oNL3XtFa_LHEZh9.zip
Zipfile SHA256: 9eebf5067e035e1e0617470cad68237658bc09e3e46ffe51d8b0454e324ddb15
Zipfile Password -- dt2601
Unzipped XLL Name: information[2022.01.26_15-59].xll
XLL SHA256: ba3c24183f68abf4ca20ebfacc555f3002f21939ee1c47aefcee53811c0e2d87
rundll32 C:\Users\Admin\ClangCompU.dll , vchuudsa
DLL Name: ClangCompU.dll
BazaLoader DLL SHA256: ab5b2d013de2dca90ccd49abf9a216c5c1072bedfee689da036acc7492715149