Skip to main content

ThreatFox IOCs for 2023-03-26

Medium
Published: Sun Mar 26 2023 (03/26/2023, 00:00:00 UTC)
Source: ThreatFox
Vendor/Project: type
Product: osint

Description

ThreatFox IOCs for 2023-03-26

AI-Powered Analysis

AILast updated: 06/19/2025, 14:18:04 UTC

Technical Analysis

The provided threat information pertains to a malware-related intelligence report titled "ThreatFox IOCs for 2023-03-26," sourced from ThreatFox, an OSINT (Open Source Intelligence) platform. The report appears to aggregate Indicators of Compromise (IOCs) relevant as of March 26, 2023. However, the data lacks specific details such as affected software versions, explicit malware family names, or technical indicators like hashes, IP addresses, or domains. The threat level is indicated as 2 on an unspecified scale, with an analysis rating of 1 and a distribution rating of 3, suggesting moderate dissemination but limited analytical depth. No known exploits in the wild are reported, and no patches or mitigations are linked. The absence of CWE identifiers and detailed technical descriptions limits the ability to pinpoint the exact nature or vector of the malware. The classification under "type:osint" and the TLP (Traffic Light Protocol) white tag imply that the information is publicly shareable and derived from open sources. Overall, this report serves as a general alert about malware-related IOCs circulating in the threat landscape as of the specified date, rather than a detailed vulnerability or exploit disclosure.

Potential Impact

Given the generic nature of the report and lack of specific technical details, the potential impact on European organizations is difficult to quantify precisely. However, malware threats typically pose risks to confidentiality, integrity, and availability of information systems. The moderate threat level and distribution rating suggest that the malware or associated IOCs may be moderately widespread, potentially targeting a range of organizations. European entities relying on OSINT platforms or threat intelligence feeds similar to ThreatFox could be indirectly impacted if they fail to incorporate these IOCs into their detection and response mechanisms. Without known exploits in the wild, immediate exploitation risk appears low, but the presence of malware IOCs signals ongoing reconnaissance or preparatory activity by threat actors. The lack of affected product versions and patch information implies that the threat may not be tied to a specific software vulnerability but rather to malware campaigns or infrastructure. Consequently, European organizations should remain vigilant, as malware infections can lead to data breaches, operational disruptions, and reputational damage.

Mitigation Recommendations

To effectively mitigate risks associated with this type of OSINT-derived malware intelligence, European organizations should: 1) Integrate ThreatFox and similar OSINT IOC feeds into their Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection capabilities. 2) Regularly update and tune intrusion detection/prevention systems (IDS/IPS) to recognize emerging malware indicators. 3) Conduct proactive threat hunting exercises using the latest IOCs to identify potential compromises early. 4) Maintain robust endpoint protection with behavioral analysis to detect malware that may not match known signatures. 5) Implement network segmentation and least privilege access controls to limit malware propagation. 6) Educate security teams on interpreting and operationalizing OSINT data effectively, ensuring timely response to new intelligence. 7) Establish incident response playbooks that incorporate OSINT-derived threat data to streamline containment and remediation. These measures go beyond generic advice by emphasizing the operational integration of OSINT feeds and proactive threat management tailored to the nature of the reported intelligence.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
1
Distribution
3
Uuid
e92acf88-07e4-4ef1-bbeb-76a432387eed
Original Timestamp
1679875385

Indicators of Compromise

File

ValueDescriptionCopy
file78.171.173.96
AsyncRAT botnet C2 server (confidence level: 75%)
file45.66.248.114
AsyncRAT botnet C2 server (confidence level: 75%)
file45.227.252.9
Cobalt Strike botnet C2 server (confidence level: 100%)
file23.21.52.245
Cobalt Strike botnet C2 server (confidence level: 100%)
file46.161.27.160
Cobalt Strike botnet C2 server (confidence level: 100%)
file212.113.116.143
RedLine Stealer botnet C2 server (confidence level: 100%)
file96.49.241.146
Tsunami botnet C2 server (confidence level: 75%)
file54.165.154.154
Tsunami botnet C2 server (confidence level: 75%)
file103.161.185.156
Tsunami botnet C2 server (confidence level: 75%)
file167.99.137.140
Tsunami botnet C2 server (confidence level: 75%)
file94.142.138.199
RedLine Stealer botnet C2 server (confidence level: 100%)
file139.180.143.50
AsyncRAT botnet C2 server (confidence level: 75%)
file139.180.143.50
AsyncRAT botnet C2 server (confidence level: 75%)
file139.180.143.50
AsyncRAT botnet C2 server (confidence level: 75%)
file139.180.143.50
AsyncRAT botnet C2 server (confidence level: 75%)
file135.181.49.56
RedLine Stealer botnet C2 server (confidence level: 100%)
file3.127.138.57
NjRAT botnet C2 server (confidence level: 100%)
file103.178.228.103
Mirai botnet C2 server (confidence level: 75%)
file188.40.130.169
NetSupportManager RAT botnet C2 server (confidence level: 100%)
file212.64.215.188
Mirai botnet C2 server (confidence level: 75%)
file84.38.130.181
Ave Maria botnet C2 server (confidence level: 100%)
file185.216.13.77
RedLine Stealer botnet C2 server (confidence level: 100%)
file5.154.181.54
RedLine Stealer botnet C2 server (confidence level: 100%)
file45.138.74.246
RedLine Stealer botnet C2 server (confidence level: 100%)
file23.82.140.115
Cobalt Strike botnet C2 server (confidence level: 100%)
file123.249.25.224
Cobalt Strike botnet C2 server (confidence level: 100%)
file123.99.198.201
NjRAT botnet C2 server (confidence level: 100%)
file185.206.144.136
Mirai botnet C2 server (confidence level: 75%)
file124.248.67.68
NjRAT botnet C2 server (confidence level: 100%)
file101.33.118.123
Cobalt Strike botnet C2 server (confidence level: 100%)
file103.150.173.202
Cobalt Strike botnet C2 server (confidence level: 100%)
file103.106.245.71
XOR DDoS botnet C2 server (confidence level: 75%)
file103.106.245.71
XOR DDoS botnet C2 server (confidence level: 75%)
file43.139.124.22
AsyncRAT botnet C2 server (confidence level: 75%)
file94.142.138.207
RedLine Stealer botnet C2 server (confidence level: 100%)
file193.233.20.33
RedLine Stealer botnet C2 server (confidence level: 100%)
file34.147.114.77
Deimos botnet C2 server (confidence level: 50%)
file89.203.129.99
BianLian botnet C2 server (confidence level: 50%)
file45.82.251.44
IcedID botnet C2 server (confidence level: 75%)
file84.38.133.19
Ave Maria botnet C2 server (confidence level: 100%)
file2.58.65.169
Cobalt Strike botnet C2 server (confidence level: 100%)

Hash

ValueDescriptionCopy
hash1044
AsyncRAT botnet C2 server (confidence level: 75%)
hash8899
AsyncRAT botnet C2 server (confidence level: 75%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash29996
RedLine Stealer botnet C2 server (confidence level: 100%)
hash6667
Tsunami botnet C2 server (confidence level: 75%)
hash6667
Tsunami botnet C2 server (confidence level: 75%)
hash6667
Tsunami botnet C2 server (confidence level: 75%)
hash6667
Tsunami botnet C2 server (confidence level: 75%)
hash27213
RedLine Stealer botnet C2 server (confidence level: 100%)
hash11334
AsyncRAT botnet C2 server (confidence level: 75%)
hash6606
AsyncRAT botnet C2 server (confidence level: 75%)
hash7707
AsyncRAT botnet C2 server (confidence level: 75%)
hash8808
AsyncRAT botnet C2 server (confidence level: 75%)
hash17248
RedLine Stealer botnet C2 server (confidence level: 100%)
hash17425
NjRAT botnet C2 server (confidence level: 100%)
hash56999
Mirai botnet C2 server (confidence level: 75%)
hash2140
NetSupportManager RAT botnet C2 server (confidence level: 100%)
hash1337
Mirai botnet C2 server (confidence level: 75%)
hash5200
Ave Maria botnet C2 server (confidence level: 100%)
hash6779
RedLine Stealer botnet C2 server (confidence level: 100%)
hash80
RedLine Stealer botnet C2 server (confidence level: 100%)
hash23202
RedLine Stealer botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash20192
NjRAT botnet C2 server (confidence level: 100%)
hash23
Mirai botnet C2 server (confidence level: 75%)
hash20192
NjRAT botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash53
XOR DDoS botnet C2 server (confidence level: 75%)
hash112
XOR DDoS botnet C2 server (confidence level: 75%)
hash6666
AsyncRAT botnet C2 server (confidence level: 75%)
hash41751
RedLine Stealer botnet C2 server (confidence level: 100%)
hash4125
RedLine Stealer botnet C2 server (confidence level: 100%)
hash8800
Deimos botnet C2 server (confidence level: 50%)
hash443
BianLian botnet C2 server (confidence level: 50%)
hash443
IcedID botnet C2 server (confidence level: 75%)
hash5200
Ave Maria botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash788008b98d8bff8f880b888c29ddddfa7b02e1a49243caf97ee3af8d3646e890
SpyNote payload (confidence level: 100%)
hashe08da72431a91099ef721333af8f2a4c
SpyNote payload (confidence level: 100%)

Url

ValueDescriptionCopy
urlhttps://hufipeh.com/rn.css
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://45.227.252.9/updates/check
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://def30qw5ks4uw.cloudfront.net/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://185.246.220.85/prof/five/fre.php
Loki Password Stealer (PWS) botnet C2 (confidence level: 100%)
urlhttp://45.137.65.70/privatesecureproton/test/78requestlocal/universalvideodatalifepublic/8/imageprocessortemporarymulti/7temp/0/securepacketprocessorwindowswordpress.php
DCRat botnet C2 (confidence level: 100%)
urlhttp://cw31476.tw1.ru/_defaultwindows.php
DCRat botnet C2 (confidence level: 100%)
urlhttp://116.203.125.44/507d5f6a261ae9ed.php
Stealc botnet C2 (confidence level: 100%)
urlhttp://nekxtu72.top/gate.php
CryptBot botnet C2 (confidence level: 100%)
urlhttp://ergrtgrtgwrgrgrgrgwregergerg.cloud/9046019a53d66236.php
Stealc botnet C2 (confidence level: 100%)
urlhttps://rifovekina.com/disable/it/jcq9le2ok2tg
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://23.82.140.115/disable/it/jcq9le2ok2tg
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://1.12.62.177:35465/updates.rss
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://85.209.135.29/cx
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://185.143.223.128/g.pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://service-14dd1oy1-1301249313.bj.apigw.tencentcs.com/api/getit
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://1.116.96.210:19443/load
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://101.33.118.123/fwlink
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://103.150.173.202/pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://193.42.33.249/pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://103.103.128.149:4443/fwlink
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://16.162.16.186:8080/wp06/wp-includes/po.php
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://23.234.239.134:35661/ga.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://hhs2.000webhostapp.com/index.php
Azorult botnet C2 (confidence level: 100%)
urlhttp://kvq9t8pe7ssjps8p4iqj.xyz
Alien botnet C2 (confidence level: 80%)
urlhttp://5.9.130.44
Alien botnet C2 (confidence level: 80%)
urlhttp://5.9.130.46
Alien botnet C2 (confidence level: 80%)
urlhttp://sparrawx.net/
Alien botnet C2 (confidence level: 80%)
urlhttp://mrbenlale.net/
Alien botnet C2 (confidence level: 80%)
urlhttp://904927.clmonth.nyashteam.top/nyashsupport.php
DCRat botnet C2 (confidence level: 100%)
urlhttp://th852.com/zomgapt
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://129.226.92.29/g.pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://123.57.194.64/ie9compatviewlist.xml
Cobalt Strike botnet C2 (confidence level: 100%)

Domain

ValueDescriptionCopy
domainhufipeh.com
Cobalt Strike botnet C2 domain (confidence level: 100%)
domaindef30qw5ks4uw.cloudfront.net
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainirc.byroe.org
Tsunami botnet C2 domain (confidence level: 100%)
domainrifovekina.com
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainservice-14dd1oy1-1301249313.bj.apigw.tencentcs.com
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainp10.sb1024.net
XOR DDoS botnet C2 domain (confidence level: 100%)
domainp6.fly1989.com
XOR DDoS botnet C2 domain (confidence level: 100%)
domainp5.2018fly.com
XOR DDoS botnet C2 domain (confidence level: 100%)
domainww.dnstells.com
XOR DDoS botnet C2 domain (confidence level: 100%)
domainww.gzcfr5axf6.com
XOR DDoS botnet C2 domain (confidence level: 100%)
domainww.gzcfr5axf7.com
XOR DDoS botnet C2 domain (confidence level: 100%)
domainww.myserv012.com
XOR DDoS botnet C2 domain (confidence level: 100%)
domainww.search2c.com
XOR DDoS botnet C2 domain (confidence level: 100%)
domainth852.com
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainskeptictyson.com
SpyNote payload delivery domain (confidence level: 100%)
domainapp.skeptictyson.com
SpyNote payload delivery domain (confidence level: 100%)

Threat ID: 682c7ac1e3e6de8ceb76715e

Added to database: 5/20/2025, 12:51:13 PM

Last enriched: 6/19/2025, 2:18:04 PM

Last updated: 8/18/2025, 12:54:47 PM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats