ThreatFox IOC Database

You are viewing the ThreatFox database entry for url http://chrisupdated.xyz/ttboi/panel/five/fre.php.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:395088
IOC: http://chrisupdated.xyz/ttboi/panel/five/fre.php
IOC Type :url
Threat Type :botnet_cc
Malware: Loki Password Stealer (PWS)
Malware alias:Burkina, Loki, LokiBot, LokiPWS
Confidence Level : Confidence level is high (100%)
ASN:AS15169 GOOGLE
Country:- US
First seen:2022-03-14 05:40:29 UTC
Last seen:never
UUID:41d2e9e4-a359-11ec-a022-42010aa4000a
Reporter AndreGironda
Reward 5 credits from ThreatFox
Tags:Loki LokiBot LokiPWS
Reference: https://tria.ge/220314-cgrh9abhc7

Avatar
AndreGironda
MITRE T1566.001
Date: Sun, 13 Mar 2022 18:30-19:00 -0700
Received: from pkz49.hoster.kz ([185.116.195.196])
MIME-Version: 1.0
From: HSBC Advising Service <office@oliveads.az>
To: undisclosed-recipients:;
Subject: Payment Advice - Advice Ref:[GLV922853603] / Priority payment / Customer Ref:[20212800000440]
Reply-To: HSBC Advising Service <goldminersasociationsci@gmail.com>
In-Reply-To: <75865bc7c98cfeef238079d0cbde2a50@oliveads.az>
References: <b3b72e42aa523221d3b2f97e4d8b2097@oliveads.az>
<86e9aaf5e41c1026072ec9ee276f4e9d@oliveads.az>
<37922fb6825e44813cd77c29320f0889@oliveads.az>
<78d6736e74c1df2b524f399bf0686960@oliveads.az>
<b71dac93bd77159181d125b3d68a7d68@oliveads.az>
<364a3446752e7a2b577931825cb5ff55@oliveads.az>
<741300bddb2776f96c722a8103df844a@oliveads.az>
<376888a814308cd20e44c22ff6f70457@oliveads.az>
<1fb9fb1da5000de74d53d1288a95ffcb@oliveads.az>
<ba20515fae20d632d8eca188f9a452af@oliveads.az>
<e72a413b070b3ca09bc8ae3dc485bb02@oliveads.az>
<6172ef0be7b9134fb1dd2074b3e443ec@oliveads.az>
<cbc65c3f00e43c263f891abfa7f69dcf@shanyrak-group.kz>
<45cac18522b71e9f9d68d0497a58b982@oliveads.az>
<44d9c88d040c11fa17cf1ee71d58f4cb@oliveads.az>
<2cdb2d898ff51a89513e9bc81484e8fa@oliveads.az>
<75865bc7c98cfeef238079d0cbde2a50@oliveads.az>
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <21c103103b4fda72e347af2adf1c9d97@oliveads.az>
X-Sender: office@oliveads.az
Content-Type: multipart/mixed; boundary="=_418004eb39bb718e298674f5c507ff5e"
X-PPP-Message-ID: <20220314015753.91405.69044@pkz49.hoster.kz>
X-PPP-Vhost: shanyrak-group.kz
X-Originating-IP: 185.116.195.196
X-Report-Abuse-To: spam@spamexpert1.hoster.kz
Return-Path: office@oliveads.az
Attachment Name: Payment advice.xlsx
Maldoc SHA256: e2b80cac15b46c83dc2e5cdca8bf906ac014f3ebbdc7f35e150a05c8391cccfb
Stage URL: hXXp://107[.]172.13.168/88/vbc[.]exe
Stage Executable SHA256: 3bac0344ebff1e7192d779672d39d141347c4dd80e0b423b1988d2809ace7037

Malware Samples

The table below documents recent malware samples observed that are associated with this indicator of compromise (IOC).

Time stamp (UTC)SHA256 hashBazaar
2022-03-14 08:31:37 3bac0344ebff1e7192d779672d39d141347c4dd80e0b423b1988d2809ace7037