IOC Radar
DomainLowSignal 83/100

cs9.wac.phicdn.net.11.1.cec2d059.roksit.net

Location
MoroccoMorocco
First Seen
Aug 21, 2022
Last Seen
Jun 12, 2026
Aug 21
First Seen
1407d ago
Jun 12
Last Seen
16d ago
3
Reports
source reports
83%
Confidence
low
0/91
VirusTotal
detections
Found in 3 reports. Confidence: low. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
83%
Signal Score
83 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

147 techniques

Feed Intelligence Summary

3 reports83% confidence
3
Source reports
83%
Confidence score
Category tags
30000saaaaabuseabuse elevationacceptaccess deniedaccess ob0005access toolaccount securityacintactive relatedactive scanactive scanningadded activeaddremoveinfoaddressaddress rangeadobe airadobe deviceafricaagentagent teslaahmannair sdkalertsalexaalexa topalienvault_ransomwareall ipv4all octoseekallocation typeamazonamerica asnamerica flaganalysis dateanalysis ob0001analysis ob0002and trojan dropperangry quasiapnicapnic whoisappdataappleapple iosapple radarapples sandboxapr poisoningarchive phishingarin whoisarmyartemisasciiascii textasiaasnoneasnone unitedasyncratattackattack networkaudio driversaudio tamperingautoitautorunav detectionavast avgavg clamavazorultbackbackdoorbad reputationbangladeshbankbankerbazaarbazaloaderbazarloaderbelgiumberbewbetbeyond samplingbiosbitratblacklist httpblacklist httpsblockchainbodybody doctypebootkitbotnetbotnet activitybrute forcebuildinfocalls clearcalls processcanada unknowncapturecaretocat antiviruscatalog treecbe oglobalsignchaoscheckercheckschina telecomchromecidrcisco umbrellacitycivilcivil servicesck idck techniquesclasscleanerclickclick-based attackcloudcloud infrastructurecloud14cloud14 addresscloudfrontcnamecnccobalt strikecodecode executioncode injectioncom tektonitcommandcommand & controlcommand and controlcommand executioncommand linecommon namecommunication protocolcommunication technologiescommunity httpscompliance lock abusecompromised websiteconduitconnected devicescontactcontent typecontrol meccontrol ob0004coordinated state abusecopycopy md5copy sha1copy sha256corecovid19crc32creation datecredential accesscredential harvestingcredential stuffingcrimecritical riskcrlf linecry killcryptocurrencycus oletcvecyber threatdagodangerdapatodarkdark powerdark web hostingdarkzerodata accessdata centerdata copyingdata destructiondata encryptiondata exfiltrationdata manipulationdata store exposuredata theftdata transferdata uploadddosddos attacksdefense evasiondeletedelphidenmarkdescription webdesktopdetection listdevice controldevice managementdgadicator roledirtydisplaynamedisplayversiondistributed attacksdiv divdiv formdj khaleddll windowsdnsdns attackdnspionagednssecdockdocument filedoddomaindomains topdora truedownerdownldrdownloaderdragdrive-by attackdroppeddropperdrops pedynamicdynamicloadere1203 windowselevati t1548elfelf:mirai botnet activityemotetemotet malware infectionencpkencryptencrypt cne6encrypted connectionsencryptionendgameendgame systemsengineeringenterprise securityentityentriesentries httperrorerrstret infoet toreu cyber policieseuropeeurope/asiaevasion attexecutable fileexecution flowexitexpiredexploitationexploitation activityexportextortionextrextra infof0002 pollingfailedfalconfali contactedfali maliciousfederation flagfilefilesfiles domainfiles ipfiles locationfiles relatedfiles showfindfind encryptedfind sufireholfirstflagflag unitedflashflow lfoldersfont formatfooterformform divformatformbook stealerfoundfoundry typefraudfri decfrom dayfull pathfusioncorefwlinkgamesessionidgammagbrflaggeckogeneratorgenericgeneric flagsgeneric malwaregithubglobalcgoodreadsgooglegoogle safegootloadergovernment overreachgovernment technologygrabber honestgraham techguardguard abuseguest systemguloaderhackershackinghandlehashesheurhighhijack executhome contacthookhostinghostnamehostname addhostname enumerationhtml smugglinghtml_smugglinghttp attackhttp headerhttp scannerhybridhypervianaiana registraricator roleidentity & access exploitationids detectionsiframeigoriiiii whooinaincluded reviewindiaindia asnindia ip blockindia unknownindicatorindustrial iotinfoinfo checksinfo droppedinfo fileinfo processesinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinjectioninjection activityinputinput threatinput validation bypassinstainstallinstructorintelintel macintellectual propertyintellectual property theftintelligence agency surveillanceinternet of thingsinternet stormiobitiociocsiosios malwareiot analyticsiot applicationsiot botnetiot platformsiot securityiot/ics attackipv4ipv4 addipv6issuerit infrastructurejapan as4713japan unknownjavajavascript injectionjess 4jsonjustin bieberkeep alivekelleykey algorithmkey identifierkey infokeyloggerkhtmlkids goldadobekingdomknown torkuaiziplangpacklassa2lateral movementlaw enforcement surveillancelayer protocollearnlearn morelegal deadlocklevel analysislicenselightlinklink librarylinkslinuxloaderlocallockbitlogmeinlolkeklooklowfiltcgcmamaasmaassinamacmainmakermalaysiamalicious activitymalicious linkmalicious linksmalicious powershell activitymalicious sitemalicious softwaremalvertisingmalvertizingmalwaremalware analysismalware attacksmalware campaignmalware distributionmalware infectionmalware installationmalware noradmalware sitemassmatch infomatch unknownmaui ransomwaremediamedia centermediummenumetametadata analysismeterpretermetromillionminermiraimirai botnetmisc attackmitre attmitre attackmobilemobile carriersmobile malwaremobile networksmobile securitymobile spywaremobile threatmodifymodify registrymodulemodule loadmonitoringmonthmonths agomoroccomoscowmove timemovedmozillamozilla firefoxms defenderms windowsmsdefender febmsf stylemsiemsilmusicmwdbname servername tacticsname verdictnamecheap incnanocore ratnation-state activitynemtihnet104net1040000netherlandsnetwire rcnetworknetwork infonetwork namenetwork scannetwork scanningnetwork securitynetwormnew yorknewsnextnext associatednjratno datano matchingnobody lovenode trafficnoname057none googlenorth americanow boardingnsonso groupnullworldnumberonloadonlvopenoperating systemoperating system securityoperationsoriginal fos xos2 executableoverview zenboxp2404p4de83ek69hqsh4paragonparent pidpassive dnspasswordpassword bypasspatch managementpathpath traversalpattern matchpavlovpayloadpaypalpdapppe filepe32 compilerpegasuspehash externalpeopleperforms dnspexephishphishingphishing attackphishing sitephotoshop ccphysical securityphysical threatpiracypiratedpleaseplotpluginsplugxpng imageponyportpp mafiapreconditionpredatorpresent aprpresent augpresent decpresent febpresent janpresent julpresent junpresent marpresent novpresent octpresent sepprivate buildprobe ms17010process injectionprocess openprocess32nextwprocesses extraproduct installproductinfoprogramproperty nameprotocol exploitationptr recordpublic administrationpublic infrastructurepublic policypulsepulse pulsespulse submitpulsespulses hostnamepulses otxpulses urlpushqakbotqbotqqpassquasarquasar ratr6 alphasslraccoonransomransomexxransomwarerar adoberatratiordap databasereadread creadsreconnaissancerecord typerecord valueredlineredline stealerredrumreferences tryrefreshregional securityregsz dregulatory agenciesrelated nidsrelated pulsesrelated tagsrelated trurelicremcosremoteremote accessremote access toolremote access trojanremote servicesreputation damageresearchedresolverrorrestartresults augrevelations 21:8reverse dnsrgbarmsrms modulerobotoroksitrole titlerolesrootroot carostpayrouteru centerruntime processrussiarussia unknownsabeysabey typesafe sitesamplessamsarasamsungsamuel tulachsan franciscosandbox sha256scams & fraudscanscan activityscan endpointsscanning activityscans showscriptscript urlsscripting attacksscripting intescripting languagesearchsecurity operationssergey b shkarupaserverserver responseservicesheep trackershell foldersshowshowingsigmasignetsilk roadsitesizeskykitskynetslcc2smart devicessmbds ipcsmokeloadersocial engineeringsocial media securitysocial media threatsoftware developmentsoftware exploitationsoftware vulnerabilitiessong culturesonysophos videosouth koreaspace unlimitedspamspam authorspanspawnsspotifyspyspyrixkeyloggerspywarespyware createdsqlite versionssd diskssdeepssh attackssl certificatestarfieldstatusstealerstringssubject keysubject publicsummarysummary iocsswedenswedishswisynswrortsystem disruptiont1001t1003t1005t1010t1011t1012t1014t1016t1018t1019t1021t1021.001t1021.006t1022t1023t1027t1030t1031t1035t1035 servicet1036t1036.004t1037t1040t1041t1045t1047t1053t1055t1055 processt1055.001t1055.012t1056t1056.001t1057t1059t1059.001t1059.004t1059.007t1060t1063t1064t1067t1068t1069.001t1070t1071t1071.001t1071.003t1071.004t1074t1078t1078.004t1081t1082t1083t1086t1088t1091t1094t1095t1105t1106t1110t1110.002t1112t1113t1114t1114.002t1119t1120t1129t1132t1134t1140t1143t1155t1158t1176t1179t1179 hookingt1185t1189t1190t1192t1195t1199t1202t1203t1204t1204.001t1204.002t1210t1213t1218.001t1221t1222t1480t1485t1486t1490t1491t1495t1496t1497t1497.001t1499.002t1499.003t1505t1518t1539t1542t1543t1547t1548t1553t1553.004t1560t1562t1563.002t1564t1565t1566t1566.001t1566.002t1566.003t1566.004t1568t1569t1571t1573t1574t1574 dllt1583t1583.002t1583.005t1587.001t1588t1588.002t1589.001t1590t1590.001t1593.001t1595t1595.001t1595.002t1595.003t1596.001t1596.004t1598t1614ta505tag counttargettargeting databasetaskjobtaskjob t1053teamtechniques ytektonit yaratelecomtelecom servicestelecommunicationstelnet threattheftthemidathreat actorthreat intelligencethreat reportthreat rounduptitletitle addedtld counttlsv1toolstor nodetoritotalsizetownsend streettraffic maskingtrickbottrojantrojan downloadertrojan malwaretrojandroppertrojanspytrusttsara brashearstsara brashears targetttl valuetulachtwittertypetype indicatortype nametype otypes ofubarudp a83f8110ultimate fileunionunit dataunitedunited kingdomunited statesunix.dropper.miraiunknown cnameunknown nsunsafeupdaterurihandlerurlsurls showursnifus as15169us as396982us noteus tcpusa windowsusageuseruser executionutc submissionsv2 documentv3 serialvaluevalue langvalue1vendor findingverdictverifyvidarvirtoolvirustotal apivirustotal boxvista eventvpsvps russianvulnerabilityvulnerability scanwacatacwatchweb application attackweb application exploitationweb developmentweb exploitationweb openweb securityweb trafficweb-based attackwebsitewhois recordwhois serverwhois whoiswin16 newin32 dllwin32 dynamicwin32 exewin32 malwarewin32qqpass aprwindowwindowswindows malwarewindows ntwindows sandboxwiperwixwormwritewrite cwrite deletewritesx framex14xc7dx509v3 keyx509v3 subjectx8bxe5xcnfexml titleyarayara detectionsyara.trojan.remoteadmin-151your ipyoutubezbotzenbox macoszero-day exploitzip adobe

Activity Timeline

1 total obs
Jun 12Jun 12

Threat Activity Heatmap

· Peak: 2026-06-12
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
83
SIGNAL
Signal Score
83%
Confidence
3
Reports
First seenAug 21, 2022
Last seenJun 12, 2026

VirusTotal

0/ 91vendors flagged
0% detection rateJun 15, 2026

WHOIS

registrar
Name.com, Inc.
creation date
2014-07-22T09:07:40
expiration date
2026-07-22T09:07:40
updated date
2025-06-04T10:57:47
name servers
NS1.ROKSIT.NET, NS2.ROKSIT.NET
country
US
emails
[email protected]
org
Redacted for Privacy
status
clientTransferProhibited https://icann.org/epp#clientTransferProhibited, clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

low
First detected 3 years ago · Last seen 16 days ago
Appeared in 3 threat reports