Skip to main content

ThreatFox IOCs for 2021-10-15

Medium
Published: Fri Oct 15 2021 (10/15/2021, 00:00:00 UTC)
Source: ThreatFox
Vendor/Project: type
Product: osint

Description

ThreatFox IOCs for 2021-10-15

AI-Powered Analysis

AILast updated: 06/19/2025, 13:05:33 UTC

Technical Analysis

The provided threat information pertains to a collection of Indicators of Compromise (IOCs) published by ThreatFox on October 15, 2021, categorized under malware and OSINT (Open Source Intelligence) types. The data appears to be a curated set of threat intelligence indicators rather than a specific malware sample or exploit. The absence of affected versions, CWE identifiers, or patch links suggests that this entry functions primarily as an intelligence feed rather than a direct vulnerability or exploit. The technical details indicate a moderate threat level (threatLevel: 2) with limited analysis (analysis: 1) but a relatively higher distribution score (distribution: 3), implying that the IOCs are somewhat widely disseminated or relevant across multiple environments. There are no known exploits in the wild associated with this data, and no specific malware family or attack vector is identified. The lack of indicators in the dataset further supports that this is a meta-level intelligence update rather than a direct actionable threat. The tags 'type:osint' and 'tlp:white' indicate that the information is open and shareable without restrictions, emphasizing its role as a general intelligence resource. Overall, this threat entry represents a medium-severity intelligence update that organizations can use to enhance their situational awareness but does not describe an immediate or active threat requiring urgent remediation.

Potential Impact

For European organizations, the direct impact of this threat is limited due to the absence of active exploits or specific vulnerabilities. However, the dissemination of IOCs through ThreatFox can aid in early detection and prevention of potential malware infections or intrusion attempts if these indicators are integrated into security monitoring tools. Organizations relying on OSINT feeds can leverage this data to improve their threat hunting and incident response capabilities. The medium severity rating suggests that while the threat is not critical, ignoring such intelligence could result in missed opportunities to detect emerging threats. The impact is primarily on the confidentiality and integrity of systems if the IOCs correspond to malware or intrusion campaigns targeting sensitive data or critical infrastructure. Availability impact is minimal given no active exploits are reported. European entities with mature cybersecurity operations stand to benefit most from incorporating these IOCs into their defenses, whereas less mature organizations may not realize immediate benefits.

Mitigation Recommendations

To effectively utilize this intelligence, European organizations should integrate the provided IOCs into their Security Information and Event Management (SIEM) systems, Endpoint Detection and Response (EDR) platforms, and threat intelligence platforms to enable automated detection and alerting. Regularly updating and correlating these IOCs with internal logs can help identify early signs of compromise. Security teams should conduct threat hunting exercises using these indicators to proactively search for related malicious activity. Additionally, organizations should ensure that their OSINT ingestion pipelines are robust and that analysts are trained to interpret and act on such intelligence. Since no patches or direct vulnerabilities are associated, focus should be on enhancing detection capabilities and maintaining up-to-date threat intelligence feeds. Collaboration with national Computer Security Incident Response Teams (CSIRTs) and sharing findings can improve collective defense. Finally, maintaining strong baseline security controls such as network segmentation, least privilege access, and multi-factor authentication will reduce the risk of exploitation if related threats emerge.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
1
Distribution
3
Uuid
eac90693-5a5f-426a-8d70-7142ca980476
Original Timestamp
1634342582

Indicators of Compromise

Hash

ValueDescriptionCopy
hashd6c487b1fb3d31851921b343f3d131f7cb4c0469a60484037a6fa8cfbdc29dea
MirrorBlast payload (confidence level: 50%)
hash909
Bashlite botnet C2 server (confidence level: 75%)
hash1543
Mirai botnet C2 server (confidence level: 75%)
hash45674
Ratty botnet C2 server (confidence level: 100%)
hash45
Mirai botnet C2 server (confidence level: 75%)
hashbfcefc39a4d43b8dcd155184f9d9f5022670dfdee2ae5fe4afa08cc115001b1f
QakBot payload (confidence level: 50%)
hash34241
Mirai botnet C2 server (confidence level: 75%)
hashbd5c24761ed0f7e6b1741abc9812e18794dd98524a7f4d3a8998d9a71af071ad
XpertRAT payload (confidence level: 50%)
hash259dbea8ad36ca1f502f7eba9257bf7111313f4ef76c34922cd34dd5808b5181
XpertRAT payload (confidence level: 50%)
hashf2926aaea4603961e15c9ac92eb599ddd51bd6e19bd7fded285a1db16753db87
XpertRAT payload (confidence level: 50%)
hash25eab735d1bef60b4fd0718ea200771331c4337bf8e43134988de9ef1993ce4f
XpertRAT payload (confidence level: 50%)
hashf148da702f2e77852ca06d4065c0c238c8770a2d4e74578cda6d4344913fcde1
Agent Tesla payload (confidence level: 50%)
hash252000fc9c9a045eaf95df97586560bdd0c54dccb2de64fe2197d0a4b4069b0b
Agent Tesla payload (confidence level: 50%)
hash2e3aeb2d7f925dbb05adf41fb17d47abc66ff3a6328aed8f2d77115900a804fb
Agent Tesla payload (confidence level: 50%)
hash4b3af4ebfe94ecb1730c15620080935f619b6592fad681921968f986c030c0c3
Formbook payload (confidence level: 50%)
hashffc72aed4a7e6a1819bad0bf616c2f342beabec62eb66fcab122498d624ab04a
Agent Tesla payload (confidence level: 50%)
hash3388e17fc3b2025d35bc595fa4f6ce3eb0ed628801b71100438e5a5aeae6ba0c
Agent Tesla payload (confidence level: 50%)
hash89dd90006d6cd58559565a7ccebc2147780e2a3ae084b5d114b2077c2ae341d7
Formbook payload (confidence level: 50%)
hash807fcb9303b9c9c179435488dd698c53bf5c11d5791cdd895f3136a7eb3ac0b1
Agent Tesla payload (confidence level: 50%)
hashdb9faea722de8da4248a27a1050add73bbe19261096672268a4860ee11cea1ea
Agent Tesla payload (confidence level: 50%)
hash5e4bf71710738a4f7f90457c76546979b65716b42125f2fe81153ed9fe2b96e1
Formbook payload (confidence level: 50%)
hash10d7db2ec1fa897b98373589c629e14b938d81a952bc33c32d60aea1522f86d6
Agent Tesla payload (confidence level: 50%)
hashc6bd41deb507046a69d680f7ce7c06ec255fc0ca19223d57788bca61cc14beb9
Formbook payload (confidence level: 50%)
hashd4a83fcae0bcdcf43c4016e6891ced32829f012d34274f4a1fa616d6b52dc2af
Raccoon payload (confidence level: 50%)
hashdc727099d3858b71798e4bc041531575d66e846e6fec21b8812185e34bb18b4e
Raccoon payload (confidence level: 50%)
hashf47a8e3f5943d16fd529fb7935aed1341bf7cf9c9b021752ce2b075e0af370fa
Raccoon payload (confidence level: 50%)
hashbafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956
Raccoon payload (confidence level: 50%)
hash91d17ea75aeeb8b524cb97f5d8497ed7d8bb3fd24b6563ef3099c342dd4b0ff7
Raccoon payload (confidence level: 50%)
hash952663f4e7afda1350b0cb7047601a9da3bfd9ae77bdf469a03f9b08f3039371
Raccoon payload (confidence level: 50%)
hashfd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
Raccoon payload (confidence level: 50%)
hash1fef53f897d7f6b71a7dd07539d6493bf5b337c540bc066a95dfdd909d7e87ec
Raccoon payload (confidence level: 50%)
hashc3732c95df41b283317330db117210bf55262d3a8f4ad2d3d2ee40626641d960
hive payload (confidence level: 50%)
hash4560fe3afd5f2b78a9e9686dce317e32d5bec313315568b82c8a386297811047
Nanocore RAT payload (confidence level: 50%)
hasha9cb657208a5b3470cde5af8c9f3f79bd2b20c6778098cdbfd1a4a6e832be0d7
Agent Tesla payload (confidence level: 50%)
hash0d57cda1a95f32e499a2019e5f29edd25e6960493583a2f476750868fffed263
Nanocore RAT payload (confidence level: 50%)
hash4d9c697132182f5795aba830f639662f8d0b05db7b263dc3a29457911b5c888d
Agent Tesla payload (confidence level: 50%)
hashef4056b473560629f2ebb778036577b6fa592924b84d2ca128e320857d3ed862
Nanocore RAT payload (confidence level: 50%)
hash677dd08b45360b4afdad4d63d4fd6b3e922e48c2185ef7e9acd6629fb4d4c538
Agent Tesla payload (confidence level: 50%)
hashb4166ee483d77e6380c979cf261347f2cb6154fa287c2c8db1d21ce646a4b8b6
Nanocore RAT payload (confidence level: 50%)
hash2d7feef6af2658843c17090776a292dfb32ac0688b23d769814082eef7bf36db
Agent Tesla payload (confidence level: 50%)
hashed78db064dfb4ae791498b2d08410a69bdad684ff709319d179c2383dd8e2f1c
Remcos payload (confidence level: 50%)
hasha2067e35b12b83ddae55145931870302de477b5ccce82a5e86ea7bf8e057d8d7
Remcos payload (confidence level: 50%)
hash77c7753b30c50361f8b201bc0b79202b06efa3c1958c5f7242e0d192b88595c5
Remcos payload (confidence level: 50%)
hash787d592049f8eed9c9ee846c9067a640e89fa19617b03670a97a913738d337f4
Remcos payload (confidence level: 50%)
hashc1562fc6f68c2e6c98f0d2d0223c5aa3fa8a9fb18bc63019993551bf21a5cdfb
Agent Tesla payload (confidence level: 50%)
hasha2539269c2b9200d7baed9f0dfc25b59fd4713a641d79fd9bd13272c7e1296ca
Formbook payload (confidence level: 50%)
hash5b355c2f3a984c819b9625650c6042d1a7602670a69bc97016e83656516bdede
Agent Tesla payload (confidence level: 50%)
hashd269cccd0c2237680d95cef81cf4a4091944738ad29c3063c7e8c53900218543
Formbook payload (confidence level: 50%)
hashe783beaf61c430d61faec9757962fc8a5314e850e587a7e59dea952f8d25bc97
Agent Tesla payload (confidence level: 50%)
hash9f59a9c7a38d8031c5b0829da6c4c10951b1de67adada4f567449d4b6ea8d83c
Formbook payload (confidence level: 50%)
hash5c0b16fd13ec87eb34ed89a5e4e8bf2ebc165f50f7c7035aa435ea960f131a7a
Agent Tesla payload (confidence level: 50%)
hash0e379293c9b084834bbc33561278ec9c8df126ba38e99f79640d5e76a7838745
Formbook payload (confidence level: 50%)
hash34589b3fe9b2b5a2c9aaff60091584eb512c82e281e52236babdc3af2a4d8af4
CloudEyE payload (confidence level: 50%)
hash773873a915db516ec70cc2ef28da691539af10d2aede89835f3f776f9c9afa04
CloudEyE payload (confidence level: 50%)
hashf16b2f7518ccea4c029f26bb8374e8f5f7be16ca76a68f8e449eba2bf02bf2b6
CloudEyE payload (confidence level: 50%)
hash8e4dd31738a559924dc6c10223b4cc41d786102a1160cc96cf699d2a47c71b8d
CloudEyE payload (confidence level: 50%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash4453
Cobalt Strike botnet C2 server (confidence level: 100%)
hash10001
Cobalt Strike botnet C2 server (confidence level: 100%)
hash8080
Cobalt Strike botnet C2 server (confidence level: 100%)
hash4444
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash8080
Cobalt Strike botnet C2 server (confidence level: 100%)
hash60420
Mirai botnet C2 server (confidence level: 75%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
QakBot botnet C2 server (confidence level: 75%)
hash6881
QakBot botnet C2 server (confidence level: 75%)
hash443
QakBot botnet C2 server (confidence level: 75%)
hash443
QakBot botnet C2 server (confidence level: 75%)
hash995
QakBot botnet C2 server (confidence level: 75%)
hash995
QakBot botnet C2 server (confidence level: 75%)
hash80
QakBot botnet C2 server (confidence level: 75%)
hash32101
QakBot botnet C2 server (confidence level: 75%)
hash443
QakBot botnet C2 server (confidence level: 75%)
hash995
QakBot botnet C2 server (confidence level: 75%)
hash443
QakBot botnet C2 server (confidence level: 75%)
hash995
QakBot botnet C2 server (confidence level: 75%)
hash6881
QakBot botnet C2 server (confidence level: 75%)
hash995
QakBot botnet C2 server (confidence level: 75%)
hash2222
QakBot botnet C2 server (confidence level: 75%)
hash995
QakBot botnet C2 server (confidence level: 75%)
hash36063
Mirai botnet C2 server (confidence level: 75%)
hash8006
Cobalt Strike botnet C2 server (confidence level: 100%)
hash8080
Cobalt Strike botnet C2 server (confidence level: 100%)
hash10010
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash88
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash4353
Mirai botnet C2 server (confidence level: 75%)
hash54321
Cobalt Strike botnet C2 server (confidence level: 100%)
hash1456
Cobalt Strike botnet C2 server (confidence level: 100%)
hash9988
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash9988
Cobalt Strike botnet C2 server (confidence level: 100%)
hash9977
Cobalt Strike botnet C2 server (confidence level: 100%)

File

ValueDescriptionCopy
file142.4.196.193
Bashlite botnet C2 server (confidence level: 75%)
file137.184.204.41
Mirai botnet C2 server (confidence level: 75%)
file141.101.134.18
Ratty botnet C2 server (confidence level: 100%)
file205.185.124.88
Mirai botnet C2 server (confidence level: 75%)
file205.185.124.88
Mirai botnet C2 server (confidence level: 75%)
file143.204.25.28
Cobalt Strike botnet C2 server (confidence level: 100%)
file159.75.124.176
Cobalt Strike botnet C2 server (confidence level: 100%)
file35.163.245.178
Cobalt Strike botnet C2 server (confidence level: 100%)
file160.20.145.111
Cobalt Strike botnet C2 server (confidence level: 100%)
file108.61.96.134
Cobalt Strike botnet C2 server (confidence level: 100%)
file119.29.187.225
Cobalt Strike botnet C2 server (confidence level: 100%)
file109.71.254.250
Cobalt Strike botnet C2 server (confidence level: 100%)
file114.132.226.245
Cobalt Strike botnet C2 server (confidence level: 100%)
file80.83.228.161
Cobalt Strike botnet C2 server (confidence level: 100%)
file121.4.186.116
Cobalt Strike botnet C2 server (confidence level: 100%)
file118.195.138.146
Cobalt Strike botnet C2 server (confidence level: 100%)
file107.172.193.113
Mirai botnet C2 server (confidence level: 75%)
file2.59.214.17
Cobalt Strike botnet C2 server (confidence level: 100%)
file111.229.90.183
Cobalt Strike botnet C2 server (confidence level: 100%)
file82.156.186.133
Cobalt Strike botnet C2 server (confidence level: 100%)
file109.200.192.84
QakBot botnet C2 server (confidence level: 75%)
file123.201.44.86
QakBot botnet C2 server (confidence level: 75%)
file174.76.17.43
QakBot botnet C2 server (confidence level: 75%)
file176.45.11.226
QakBot botnet C2 server (confidence level: 75%)
file187.75.66.160
QakBot botnet C2 server (confidence level: 75%)
file188.55.249.239
QakBot botnet C2 server (confidence level: 75%)
file189.152.1.4
QakBot botnet C2 server (confidence level: 75%)
file189.252.218.40
QakBot botnet C2 server (confidence level: 75%)
file2.221.12.60
QakBot botnet C2 server (confidence level: 75%)
file213.205.242.210
QakBot botnet C2 server (confidence level: 75%)
file213.60.210.85
QakBot botnet C2 server (confidence level: 75%)
file39.49.32.238
QakBot botnet C2 server (confidence level: 75%)
file65.100.174.110
QakBot botnet C2 server (confidence level: 75%)
file65.100.174.110
QakBot botnet C2 server (confidence level: 75%)
file86.220.112.26
QakBot botnet C2 server (confidence level: 75%)
file95.159.33.115
QakBot botnet C2 server (confidence level: 75%)
file192.3.231.20
Mirai botnet C2 server (confidence level: 75%)
file47.104.101.102
Cobalt Strike botnet C2 server (confidence level: 100%)
file119.3.156.24
Cobalt Strike botnet C2 server (confidence level: 100%)
file39.99.181.72
Cobalt Strike botnet C2 server (confidence level: 100%)
file173.234.155.190
Cobalt Strike botnet C2 server (confidence level: 100%)
file173.234.155.231
Cobalt Strike botnet C2 server (confidence level: 100%)
file173.234.155.42
Cobalt Strike botnet C2 server (confidence level: 100%)
file173.234.155.42
Cobalt Strike botnet C2 server (confidence level: 100%)
file173.234.155.223
Cobalt Strike botnet C2 server (confidence level: 100%)
file195.133.40.141
Mirai botnet C2 server (confidence level: 75%)
file167.179.114.195
Cobalt Strike botnet C2 server (confidence level: 100%)
file106.13.204.169
Cobalt Strike botnet C2 server (confidence level: 100%)
file148.66.19.164
Cobalt Strike botnet C2 server (confidence level: 100%)
file167.160.189.217
Cobalt Strike botnet C2 server (confidence level: 100%)
file148.66.19.166
Cobalt Strike botnet C2 server (confidence level: 100%)
file148.66.19.164
Cobalt Strike botnet C2 server (confidence level: 100%)

Url

ValueDescriptionCopy
urlhttp://63.250.40.204/~wpdemo/file.php?search=loki
Loki Password Stealer (PWS) botnet C2 (confidence level: 75%)
urlhttps://libovav.com/sitemap
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://lkki.xyz/w2/fre.php
Loki Password Stealer (PWS) botnet C2 (confidence level: 75%)
urlhttps://service-5pnz8li8-1259630283.gz.apigw.tencentcs.com/api/jquery-3.3.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://35.163.245.178/cm
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://www.onedrivo.com:4453/jquery-3.3.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://119.29.187.225:8080/j.ad
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://lsback.com:4444/ky.css
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://service-ishp4fn0-1307626829.gz.apigw.tencentcs.com/g.pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://80.83.228.161/visit.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://service-azhuvd2i-1305517013.gz.apigw.tencentcs.com/jquery/2.0.1/jquery.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://118.195.138.146:8080/j.ad
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://63.250.40.204/~wpdemo/file.php?search=719442
Loki Password Stealer (PWS) botnet C2 (confidence level: 75%)
urlhttps://2.59.214.17/file_data/70737c74c59f36d1f518a6946512f565.jpeg
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://111.229.90.183/dot.gif
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://119.91.70.28/ga.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://service-g96td04q-1304463737.hk.apigw.tencentcs.com/activity
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://47.104.101.102:8006/ptj
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://us-time.us/fam_newspaper
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://39.99.181.72:10010/activity
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://www.vulcanopresale.icu/mqi9/
Formbook botnet C2 (confidence level: 100%)
urlhttp://173.234.155.190/av.css
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://173.234.155.231:88/jquery-3.3.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://173.234.155.42/search
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://nod32updater.com/es
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://173.234.155.223/media.css
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://167.179.114.195:54321/ga.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://106.13.204.169:1456/ca
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://148.66.19.162:9988/pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://1.1.1.1/pixel.gif
Cobalt Strike botnet C2 (confidence level: 100%)

Domain

ValueDescriptionCopy
domaindiarromonico.com
MirrorBlast botnet C2 domain (confidence level: 75%)
domaindropmefilesbox.com
MirrorBlast botnet C2 domain (confidence level: 100%)
domainperfectbernald.com
BazarBackdoor botnet C2 domain (confidence level: 100%)
domainmeasuremanagement2001b.com
BazarBackdoor botnet C2 domain (confidence level: 100%)
domaininheritmontesd.com
BazarBackdoor botnet C2 domain (confidence level: 100%)
domainherringpurityg.com
BazarBackdoor botnet C2 domain (confidence level: 100%)
domainharringtonsavingss.com
BazarBackdoor botnet C2 domain (confidence level: 100%)

Threat ID: 682c7ac0e3e6de8ceb76339a

Added to database: 5/20/2025, 12:51:12 PM

Last enriched: 6/19/2025, 1:05:33 PM

Last updated: 7/28/2025, 6:00:17 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats