ThreatFox IOC Database
You are viewing the ThreatFox database entry for url http://hstfurnaces.net/gd4/fre.php.
Database Entry
This IOC expired
This IOC is an old IOC and hence has expired on 2025-12-26 01:15:01 UTC. We therefore refrain from exporting it into our datasets. As a result, this database entry is purely informational and has no impact.
| IOC ID: | 391217 |
|---|---|
| IOC: | http://hstfurnaces.net/gd4/fre.php |
| IOC Type : | url |
| Threat Type : | botnet_cc |
| Malware: | Loki Password Stealer (PWS) |
| Malware alias: | Burkina, Loki, LokiBot, LokiPWS |
| Confidence Level : | Confidence level is high (100%) |
| First seen: | 2022-02-28 03:14:02 UTC |
| Last seen: | 2022-02-28 03:14:09 UTC |
| UUID: | 7a64a1e5-9844-11ec-a022-42010aa4000a |
| Reporter |  AndreGironda |
| Reward | 5 credits from ThreatFox |
| Tags: | Loki LokiBot LokiPWS |
| Reference: | https://tria.ge/220228-dj287sedcm |
AndreGironda
MITRE T1566.001Received: from mail.ptsci.id (103.232.67.35)
Date: Mon, 28 Feb 2022 09:55:05 +0700 (WIB)
From: "HT ENERGY JSC (HTE)." <uly.wulan@ptsci.id>
Message-ID: <549876204.12671201.1646016905895.JavaMail.zimbra@ptsci.id>
In-Reply-To: <952868524.12669299.1646016294419.JavaMail.zimbra@ptsci.id>
References: <1576054980.12663590.1646014675224.JavaMail.zimbra@ptsci.id> <1607400858.12668300.1646016038645.JavaMail.zimbra@ptsci.id> <926163940.12668379.1646016079008.JavaMail.zimbra@ptsci.id> <951332295.12668512.1646016122454.JavaMail.zimbra@ptsci.id> <2000214028.12668628.1646016166894.JavaMail.zimbra@ptsci.id> <2057365171.12669061.1646016239224.JavaMail.zimbra@ptsci.id> <1341669749.12669129.1646016265907.JavaMail.zimbra@ptsci.id> <952868524.12669299.1646016294419.JavaMail.zimbra@ptsci.id>
Subject: RE: Proforma Invoice ,PI-AKR-112-2022-22, price confirmation. Order-754
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_12671192_841287161.1646016905879"
X-Originating-IP: [192.168.38.5]
X-Mailer: Zimbra 8.8.15_GA_3928 (ZimbraWebClient - GC98 (Win)/8.8.15_GA_3928)
Thread-Index: 0zYX+zDUBd87rhvxi7JYEJw/wbfr5cDe/67eAg8whvsvT+JzCvMI1CYKXhdfS2GBT1Ikab1isBvzes5sDqSDydeejjhuJPuY0ohKVRpEwJMvKh22t5vSFfN7vjrcDL2elw==
To: Undisclosed recipients:;
Return-Path: uly.wulan@ptsci.id
Attachment Name: PI-AKR-112-2022-22.xlsx
Maldoc SHA256: fefedf3898545c89e502270d58a78df70c2b3d7e04815c28da94bfd209cdb9c3
Stage URL: hXXp://104[.]168.32.66/space360/.csrss[.]exe
Stage Executable SHA256: 0ca32832b9e27eb9eb610e5cbf53d25e34cb06b6b0edd1b024b6762e8455799b
Malware Samples
The table below documents recent malware samples observed that are associated with this indicator of compromise (IOC).