ThreatFox IOC Database
You are viewing the ThreatFox database entry for ip:port 194.5.98.126:3378.
Database Entry
This IOC expired
This IOC is an old IOC and hence has expired on 2025-12-26 01:15:01 UTC. We therefore refrain from exporting it into our datasets. As a result, this database entry is purely informational and has no impact.
| IOC ID: | 838002 |
|---|---|
| IOC: | 194.5.98.126:3378 |
| IOC Type : | ip:port |
| Threat Type : | botnet_cc |
| Malware: | NetWire RC |
| Malware alias: | NetWeird, NetWire, Recam |
| Confidence Level : | Confidence level is high (100%) |
| ASN: | AS149020 WEBHORIZON-AS-AP |
| Country: |  IN |
| First seen: | 2022-07-15 14:16:53 UTC |
| Last seen: | never |
| UUID: | c6cf1fec-0448-11ed-8409-42010aa4000a |
| Reporter |  AndreGironda |
| Reward | 5 credits from ThreatFox |
| Tags: | NetWire |
| Reference: | https://bazaar.abuse.ch/sample/48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b/ |
AndreGironda
MITRE T1566.001Date: Fri, 15 Jul 2022 16:30-17:00 +0700 (ICT)
Received: from barsmtp.top (103.82.27.123)
X-Virus-Scanned: amavisd-new at barsmtp.top
Received: from barsmtp.top (barsmtp.top [103.82.27.123])
From: Jason Bourne <admin@barsmtp.top>
Message-ID: <1639376749.41802.1657877713984.JavaMail.zimbra@barsmtp.top>
Subject: Invoice
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_41798_71267147.1657877713952"
X-Originating-IP: [103.82.27.123]
X-Mailer: Zimbra 8.6.0_GA_1153 (ZimbraWebClient - FF69 (Win)/8.6.0_GA_1153)
To: Undisclosed recipients:;
Return-Path: admin@barsmtp.top
Attachment Name: INVOICE3.xll
XLL SHA256: 48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b
Unpacked DLL Name: ExselDna.Loader.dll
DLL SHA256: abc2f748620397914481a8d8cfbb00d4d19dbb27fec417bf8dbc36e66a749d82
Stage URL: hXXp://192[.]3.194.246/account_Mryifdyo.png
Stage Executable SHA256: 372e7d0d0d0f0847d2cb347b562d78b410e4525a7110f954d3aa3da9c2159324
Carved Executable SHA256: 25dad78ab7c58d13f9d931d740c83193f57930d6a4202e9096ed44a159886db0
Malware Samples
The table below documents recent malware samples observed that are associated with this indicator of compromise (IOC).