ThreatFox IOC Database
You are viewing the ThreatFox database entry for url http://164.90.194.235/?id=9766379650572930.
Database Entry
This IOC expired
This IOC is an old IOC and hence has expired on 2025-12-15 01:15:01 UTC. We therefore refrain from exporting it into our datasets. As a result, this database entry is purely informational and has no impact.
| IOC ID: | 396071 |
|---|---|
| IOC: | http://164.90.194.235/?id=9766379650572930 |
| IOC Type : | url |
| Threat Type : | botnet_cc |
| Malware: | Loki Password Stealer (PWS) |
| Malware alias: | Burkina, Loki, LokiBot, LokiPWS |
| Confidence Level : | Confidence level is high (100%) |
| ASN: | AS14061 DIGITALOCEAN-ASN |
| Country: |  US |
| First seen: | 2022-03-17 04:55:46 UTC |
| Last seen: | never |
| UUID: | 820dc5d1-a5ae-11ec-a022-42010aa4000a |
| Reporter |  AndreGironda |
| Reward | 5 credits from ThreatFox |
| Tags: | Loki LokiBot LokiPWS |
| Reference: | https://tria.ge/220317-fdwkkshgdj |
AndreGironda
MITRE T1566.001Date: Thu, 17 Mar 2022 03:00-03:30 +0100
Received: from syrianmonster.sy (185.216.132.201)
Received-SPF: pass (syrianmonster.sy: connection is authenticated)
MIME-Version: 1.0
From: FRED HELSON INTL <fredhelson1@gmail.com>
To: undisclosed-recipients:;
Subject: PO O.N./I.M.O. 9636228
Reply-To: "FRED HELSON(Sales)" <fredhelson1@gmail.com>
User-Agent: Roundcube Webmail/1.4.13
Message-ID: <58a7298c495dc49eacd23644144fc1f5@gmail.com>
X-Sender: fredhelson1@gmail.com
Content-Type: multipart/mixed; boundary="=_601db054b2ef457381991dc1b3e27e40"
X-PPP-Message-ID: <20220317020812.14334.67392@syrianmonster.sy>
X-PPP-Vhost: syrbf.org
Return-Path: fredhelson1@gmail.com
Attachment Name: PO_viber_image_2022-03-17_14-44-40-907.r00
Attachment SHA256: 39fbab891ae884a88bd350751073f7fa1afba7575e20f9b0b30d89ec8f3265b5
Executable Name: PO_viber_image_2022-03-17_14-44-40-907.exe
Executable SHA256: bf7fddad958583c75d88fedaba89ef1cd2afb0f0e86fc5c1da404601239ac71e
Stage 1 URL: hXXps://transfer[.]sh/get/1mqoDt/gxIRmE-score.rtf
Stage 2 URL: hXXps://transfer[.]sh/get/Ub1zC3/gxIRmE-raw.txt
Malware Samples
The table below documents recent malware samples observed that are associated with this indicator of compromise (IOC).