Skip to main content

ThreatFox IOCs for 2022-09-07

Medium
Published: Wed Sep 07 2022 (09/07/2022, 00:00:00 UTC)
Source: ThreatFox
Vendor/Project: type
Product: osint

Description

ThreatFox IOCs for 2022-09-07

AI-Powered Analysis

AILast updated: 06/18/2025, 18:50:02 UTC

Technical Analysis

The provided threat information pertains to a collection of Indicators of Compromise (IOCs) published on September 7, 2022, by ThreatFox, a platform known for sharing threat intelligence data. The threat is categorized as malware-related, specifically linked to OSINT (Open Source Intelligence) activities, which suggests that the data primarily consists of observable artifacts such as IP addresses, domains, hashes, or URLs associated with malicious activity. However, no specific affected software versions, vulnerabilities, or exploit details are provided, and there are no known exploits in the wild linked to this threat. The technical details indicate a moderate threat level (2 out of an unspecified scale), with limited analysis (1) but a relatively higher distribution score (3), implying that the IOCs are somewhat widely disseminated or observed. The absence of CWE identifiers and patch links further indicates that this is not tied to a specific software vulnerability but rather to malware indicators useful for detection and prevention. The threat is tagged with TLP:WHITE, meaning the information is intended for public sharing without restrictions. Overall, this threat intelligence update serves as a resource for security teams to enhance detection capabilities rather than signaling an active or critical exploitation campaign.

Potential Impact

For European organizations, the impact of this threat is primarily in the domain of detection and response rather than direct compromise. Since the threat consists of IOCs related to malware, organizations can leverage this intelligence to identify potential malicious activity within their networks. The absence of known exploits in the wild reduces the immediate risk of active attacks exploiting new vulnerabilities. However, failure to incorporate these IOCs into security monitoring tools could result in missed detections of malware infections or command-and-control communications, potentially leading to data breaches, operational disruptions, or lateral movement within networks. Given the medium severity rating and the nature of the threat as OSINT-based IOCs, the impact is moderate but significant for organizations with mature security operations centers (SOCs) that rely on timely threat intelligence to prevent escalation of incidents.

Mitigation Recommendations

1. Integrate the provided IOCs into existing security information and event management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools to enable automated detection of related malicious activity. 2. Conduct regular threat hunting exercises using these IOCs to proactively identify potential compromises that may not trigger automated alerts. 3. Update firewall and proxy blacklists with any malicious IP addresses or domains included in the IOCs to block outbound and inbound malicious traffic. 4. Enhance user awareness training to recognize phishing or social engineering attempts that may deliver malware associated with these IOCs. 5. Collaborate with national and European cybersecurity information sharing organizations (e.g., ENISA, CERT-EU) to receive timely updates and contextual analysis related to these indicators. 6. Maintain robust incident response plans that incorporate procedures for handling detections related to these IOCs, ensuring rapid containment and remediation. 7. Since no patches are available, focus on detection and containment rather than vulnerability remediation for this specific threat.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
1
Distribution
3
Uuid
0bd6e5c3-4b0a-432e-bcbb-a5f40461ee8a
Original Timestamp
1662595383

Indicators of Compromise

File

ValueDescriptionCopy
file159.65.88.10
Dridex botnet C2 server (confidence level: 75%)
file51.83.47.27
Dridex botnet C2 server (confidence level: 75%)
file192.236.155.47
BumbleBee botnet C2 server (confidence level: 75%)
file209.25.141.181
NjRAT botnet C2 server (confidence level: 100%)
file78.47.102.252
Vidar botnet C2 server (confidence level: 100%)
file212.8.252.159
RedLine Stealer botnet C2 server (confidence level: 100%)
file205.185.113.157
Mirai botnet C2 server (confidence level: 75%)
file45.154.98.87
AsyncRAT botnet C2 server (confidence level: 75%)
file212.8.251.165
RedLine Stealer botnet C2 server (confidence level: 100%)
file80.76.51.84
RedLine Stealer botnet C2 server (confidence level: 100%)
file37.139.129.11
Mirai botnet C2 server (confidence level: 75%)
file93.115.27.11
Cobalt Strike botnet C2 server (confidence level: 100%)
file36.255.220.157
Cobalt Strike botnet C2 server (confidence level: 100%)
file81.69.58.222
Cobalt Strike botnet C2 server (confidence level: 100%)
file118.195.243.152
Cobalt Strike botnet C2 server (confidence level: 100%)
file185.170.42.93
Cobalt Strike botnet C2 server (confidence level: 100%)
file124.223.204.198
Cobalt Strike botnet C2 server (confidence level: 100%)
file31.24.227.218
Cobalt Strike botnet C2 server (confidence level: 100%)
file45.147.231.148
PhotoLoader botnet C2 server (confidence level: 75%)
file84.32.188.22
PhotoLoader botnet C2 server (confidence level: 75%)
file179.43.142.70
PhotoLoader botnet C2 server (confidence level: 75%)
file193.239.84.225
PhotoLoader botnet C2 server (confidence level: 75%)
file198.244.193.166
PhotoLoader botnet C2 server (confidence level: 75%)
file216.244.71.145
PhotoLoader botnet C2 server (confidence level: 75%)
file1.117.176.102
Cobalt Strike botnet C2 server (confidence level: 100%)
file88.119.170.210
Vidar botnet C2 server (confidence level: 100%)
file94.130.75.65
Vidar botnet C2 server (confidence level: 100%)
file116.202.179.139
Vidar botnet C2 server (confidence level: 100%)
file45.14.224.204
Mirai botnet C2 server (confidence level: 75%)
file103.144.139.135
BumbleBee botnet C2 server (confidence level: 75%)
file198.98.59.54
BumbleBee botnet C2 server (confidence level: 75%)
file104.168.243.204
BumbleBee botnet C2 server (confidence level: 75%)
file45.153.240.94
BumbleBee botnet C2 server (confidence level: 75%)
file94.158.247.16
IcedID botnet C2 server (confidence level: 75%)
file216.244.71.145
IcedID botnet C2 server (confidence level: 75%)
file5.255.101.31
IcedID botnet C2 server (confidence level: 75%)
file45.153.240.126
IcedID botnet C2 server (confidence level: 75%)
file138.197.195.62
IcedID botnet C2 server (confidence level: 75%)
file123.56.116.134
Cobalt Strike botnet C2 server (confidence level: 100%)

Hash

ValueDescriptionCopy
hash4664
Dridex botnet C2 server (confidence level: 75%)
hash443
Dridex botnet C2 server (confidence level: 75%)
hash443
BumbleBee botnet C2 server (confidence level: 75%)
hash17464
NjRAT botnet C2 server (confidence level: 100%)
hash80
Vidar botnet C2 server (confidence level: 100%)
hash80
RedLine Stealer botnet C2 server (confidence level: 100%)
hash60195
Mirai botnet C2 server (confidence level: 75%)
hash8453
AsyncRAT botnet C2 server (confidence level: 75%)
hash80
RedLine Stealer botnet C2 server (confidence level: 100%)
hash81
RedLine Stealer botnet C2 server (confidence level: 100%)
hash38241
Mirai botnet C2 server (confidence level: 75%)
hashfa88048b5f80993c1535ec1629dffe075db7f60e2509be890966826f2631da53
IRATA payload (confidence level: 100%)
hashf9939b6f558ab2da1a11298dcd0daaa3
IRATA payload (confidence level: 100%)
hashedcc80bdd530bd8a51763632f99065a1
Kimsuky payload (confidence level: 50%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash8882
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
PhotoLoader botnet C2 server (confidence level: 75%)
hash80
PhotoLoader botnet C2 server (confidence level: 75%)
hash80
PhotoLoader botnet C2 server (confidence level: 75%)
hash80
PhotoLoader botnet C2 server (confidence level: 75%)
hash80
PhotoLoader botnet C2 server (confidence level: 75%)
hash80
PhotoLoader botnet C2 server (confidence level: 75%)
hash2096
Cobalt Strike botnet C2 server (confidence level: 100%)
hash9c3e0fa862609d1ec431d12b66dcbfea76cbca7e36f9714eea810eadf7c564c5
IRATA payload (confidence level: 100%)
hash73a8af6ddb44480a9aa87de968edf055
IRATA payload (confidence level: 100%)
hash80
Vidar botnet C2 server (confidence level: 100%)
hash80
Vidar botnet C2 server (confidence level: 100%)
hash80
Vidar botnet C2 server (confidence level: 100%)
hash809a7d3e2167ea027312595bf90dea0ddcabd93fa75718d4c89a87971d255031
Remcos payload (confidence level: 100%)
hash2220649a7dc77637e8cee14d5e0dddfdd1fd525381e02d0c626d7a23c2553cca
Remcos payload (confidence level: 100%)
hash38241
Mirai botnet C2 server (confidence level: 75%)
hash443
BumbleBee botnet C2 server (confidence level: 75%)
hash443
BumbleBee botnet C2 server (confidence level: 75%)
hash443
BumbleBee botnet C2 server (confidence level: 75%)
hash443
BumbleBee botnet C2 server (confidence level: 75%)
hash443
IcedID botnet C2 server (confidence level: 75%)
hash443
IcedID botnet C2 server (confidence level: 75%)
hash443
IcedID botnet C2 server (confidence level: 75%)
hash443
IcedID botnet C2 server (confidence level: 75%)
hash443
IcedID botnet C2 server (confidence level: 75%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)

Url

ValueDescriptionCopy
urlhttp://116.203.167.5/
RecordBreaker botnet C2 (confidence level: 100%)
urlhttp://a0697279.xsph.ru/videolinux.php
DCRat botnet C2 (confidence level: 100%)
urlhttp://sempersim.su/gk8/fre.php
Loki Password Stealer (PWS) botnet C2 (confidence level: 75%)
urlhttp://ixi-sigaho.ml/bot/mr/
IRATA botnet C2 (confidence level: 100%)
urlhttp://116.202.180.202/1498
Vidar botnet C2 (confidence level: 100%)
urlhttp://159.69.102.99/1498
Vidar botnet C2 (confidence level: 100%)
urlhttp://159.69.102.99/517
Vidar botnet C2 (confidence level: 100%)
urlhttp://159.69.102.99/1641
Vidar botnet C2 (confidence level: 100%)
urlhttp://116.202.180.202/1142
Vidar botnet C2 (confidence level: 100%)
urlhttp://78.47.102.252/
Vidar botnet C2 (confidence level: 100%)
urlhttp://liviesxy.ml/remoot%20/
IRATA botnet C2 (confidence level: 75%)
urlhttp://ensewqzxaap.tk/bot.php
IRATA botnet C2 (confidence level: 75%)
urlhttp://sefid-ratt.tk/bot/sefid/
IRATA botnet C2 (confidence level: 75%)
urlhttp://n1evewiopq-ir.gq/remoot/
IRATA botnet C2 (confidence level: 75%)
urlhttp://reoniwqzna.tk/remoot/
IRATA botnet C2 (confidence level: 75%)
urlhttps://usk.oghabhosting.ir/usk
IRATA botnet C2 (confidence level: 100%)
urlhttps://usk.oghabhosting.ir/usk/rat.php
IRATA botnet C2 (confidence level: 100%)
urlhttps://93.115.27.11/jquery-3.3.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://www.pacareer.top:8882/search/
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://81.69.58.222/en_us/all.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://3.91.241.150:8084/push
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://service-4vasmazv-1258249715.bj.apigw.tencentcs.com/api/amazonx
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://185.170.42.93/updates.rss
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://43.138.167.37:8076/owa/
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://192.168.174.139/pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://119.29.187.225:8082/g.pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://hockeysmall.com/run/p/akjwhxpw
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://140.143.232.178:8082/ptj
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://outlook365.baiducloud.info/preload
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://mlodio.miaomiao.in:2096/activity
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://116.202.179.139/1375
Vidar botnet C2 (confidence level: 100%)
urlhttp://116.202.180.202/1340
Vidar botnet C2 (confidence level: 100%)
urlhttp://49.12.9.140/517
Vidar botnet C2 (confidence level: 100%)
urlhttp://88.119.170.210/
Vidar botnet C2 (confidence level: 100%)
urlhttp://116.202.179.139/
Vidar botnet C2 (confidence level: 100%)
urlhttp://94.130.75.65/
Vidar botnet C2 (confidence level: 100%)
urlhttps://121.5.66.186:1083/dot.gif
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://49.232.175.5/updates.rss
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://124.223.204.198:5555/visit.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://api.itinfo.tk/g.pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://124.223.204.198:88/push
Cobalt Strike botnet C2 (confidence level: 100%)

Domain

ValueDescriptionCopy
domainixi-sigaho.ml
IRATA botnet C2 domain (confidence level: 100%)
domaintestingmamo.tk
IRATA botnet C2 domain (confidence level: 75%)
domainliviesxy.ml
IRATA botnet C2 domain (confidence level: 75%)
domainensewqzxaap.tk
IRATA botnet C2 domain (confidence level: 75%)
domainsefid-ratt.tk
IRATA botnet C2 domain (confidence level: 75%)
domainn1evewiopq-ir.gq
IRATA botnet C2 domain (confidence level: 75%)
domainreoniwqzna.tk
IRATA botnet C2 domain (confidence level: 75%)
domainoghabhosting.ir
IRATA botnet C2 domain (confidence level: 100%)
domainusk.oghabhosting.ir
IRATA botnet C2 domain (confidence level: 100%)
domainacademfleedalas.com
IcedID botnet C2 domain (confidence level: 100%)
domaindangermoust.buzz
IcedID botnet C2 domain (confidence level: 100%)
domainleonyelloswen.com
IcedID botnet C2 domain (confidence level: 100%)
domainiscasbase.cyou
IcedID botnet C2 domain (confidence level: 100%)
domainxqertansi.gay
IcedID botnet C2 domain (confidence level: 100%)
domainkbreedfin.fun
IcedID botnet C2 domain (confidence level: 100%)
domaindaniasphalt.cyou
IcedID botnet C2 domain (confidence level: 100%)

Threat ID: 682b7b9fd3ddd8cef2e651c9

Added to database: 5/19/2025, 6:42:39 PM

Last enriched: 6/18/2025, 6:50:02 PM

Last updated: 8/16/2025, 4:28:26 PM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats