ThreatFox IOC Database

You are viewing the ThreatFox database entry for url http://75bccc18b4d1631c2ecda542c872db27.cf/Ausin2/fre.php.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:391277
IOC: http://75bccc18b4d1631c2ecda542c872db27.cf/Ausin2/fre.php
IOC Type :url
Threat Type :botnet_cc
Malware: Loki Password Stealer (PWS)
Malware alias:Burkina, Loki, LokiBot, LokiPWS
Confidence Level : Confidence level is high (100%)
First seen:2022-02-28 14:56:52 UTC
Last seen:never
UUID:aa1e4105-98a6-11ec-a022-42010aa4000a
Reporter AndreGironda
Reward 5 credits from ThreatFox
Tags:Loki LokiBot LokiPWS
Reference: https://bazaar.abuse.ch/sample/9421d385e1a985b7089ecdb458bd66813d8dbb0884241d6a47191b3b9d974c71/

Avatar
AndreGironda
MITRE T1566.001
Date: 28 Feb 2022 06:30-07:00 +0000
Received: from srv3.gzgunajun.com (198.23.173.110
From: "Claus Juel Clement - Clipper Bulk A/S" <info@gzgunajun.com>
Subject: RE: February 2022 Statement of Account
Message-ID: <20220228064750.BCDD606C4487609A@gzgunajun.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_28527C0F.5697B321"
Return-Path: info@gzgunajun.com
Attachment Name: SOA_February_2022.xlsx
Maldoc SHA256: 9421d385e1a985b7089ecdb458bd66813d8dbb0884241d6a47191b3b9d974c71
Stage URL: hXXp://3[.]138.105.135/a1/scan_01.exe
Stage Executable SHA256: 8fae654a8e1d95245cc0277a8b2e319ca9b735e9e0d169cc31fae440b491f903

Malware Samples

The table below documents recent malware samples observed that are associated with this indicator of compromise (IOC).

Time stamp (UTC)SHA256 hashBazaar
2022-03-01 09:41:07 8eb9ced7e44fb7c3c123a4816cb8285e7ec329cdc713b2dc52445c76dcff14af
2022-03-01 07:01:38 8fae654a8e1d95245cc0277a8b2e319ca9b735e9e0d169cc31fae440b491f903