ThreatFox IOCs for 2023-03-26
ThreatFox IOCs for 2023-03-26
AI Analysis
Technical Summary
The provided threat information pertains to a malware-related intelligence report titled "ThreatFox IOCs for 2023-03-26," sourced from ThreatFox, an OSINT (Open Source Intelligence) platform. The report appears to aggregate Indicators of Compromise (IOCs) relevant as of March 26, 2023. However, the data lacks specific details such as affected software versions, explicit malware family names, or technical indicators like hashes, IP addresses, or domains. The threat level is indicated as 2 on an unspecified scale, with an analysis rating of 1 and a distribution rating of 3, suggesting moderate dissemination but limited analytical depth. No known exploits in the wild are reported, and no patches or mitigations are linked. The absence of CWE identifiers and detailed technical descriptions limits the ability to pinpoint the exact nature or vector of the malware. The classification under "type:osint" and the TLP (Traffic Light Protocol) white tag imply that the information is publicly shareable and derived from open sources. Overall, this report serves as a general alert about malware-related IOCs circulating in the threat landscape as of the specified date, rather than a detailed vulnerability or exploit disclosure.
Potential Impact
Given the generic nature of the report and lack of specific technical details, the potential impact on European organizations is difficult to quantify precisely. However, malware threats typically pose risks to confidentiality, integrity, and availability of information systems. The moderate threat level and distribution rating suggest that the malware or associated IOCs may be moderately widespread, potentially targeting a range of organizations. European entities relying on OSINT platforms or threat intelligence feeds similar to ThreatFox could be indirectly impacted if they fail to incorporate these IOCs into their detection and response mechanisms. Without known exploits in the wild, immediate exploitation risk appears low, but the presence of malware IOCs signals ongoing reconnaissance or preparatory activity by threat actors. The lack of affected product versions and patch information implies that the threat may not be tied to a specific software vulnerability but rather to malware campaigns or infrastructure. Consequently, European organizations should remain vigilant, as malware infections can lead to data breaches, operational disruptions, and reputational damage.
Mitigation Recommendations
To effectively mitigate risks associated with this type of OSINT-derived malware intelligence, European organizations should: 1) Integrate ThreatFox and similar OSINT IOC feeds into their Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection capabilities. 2) Regularly update and tune intrusion detection/prevention systems (IDS/IPS) to recognize emerging malware indicators. 3) Conduct proactive threat hunting exercises using the latest IOCs to identify potential compromises early. 4) Maintain robust endpoint protection with behavioral analysis to detect malware that may not match known signatures. 5) Implement network segmentation and least privilege access controls to limit malware propagation. 6) Educate security teams on interpreting and operationalizing OSINT data effectively, ensuring timely response to new intelligence. 7) Establish incident response playbooks that incorporate OSINT-derived threat data to streamline containment and remediation. These measures go beyond generic advice by emphasizing the operational integration of OSINT feeds and proactive threat management tailored to the nature of the reported intelligence.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- file: 78.171.173.96
- hash: 1044
- file: 45.66.248.114
- hash: 8899
- url: https://hufipeh.com/rn.css
- domain: hufipeh.com
- url: https://45.227.252.9/updates/check
- file: 45.227.252.9
- hash: 443
- url: https://def30qw5ks4uw.cloudfront.net/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- domain: def30qw5ks4uw.cloudfront.net
- file: 23.21.52.245
- hash: 443
- file: 46.161.27.160
- hash: 443
- file: 212.113.116.143
- hash: 29996
- file: 96.49.241.146
- hash: 6667
- file: 54.165.154.154
- hash: 6667
- file: 103.161.185.156
- hash: 6667
- file: 167.99.137.140
- hash: 6667
- domain: irc.byroe.org
- file: 94.142.138.199
- hash: 27213
- file: 139.180.143.50
- hash: 11334
- file: 139.180.143.50
- hash: 6606
- file: 139.180.143.50
- hash: 7707
- file: 139.180.143.50
- hash: 8808
- file: 135.181.49.56
- hash: 17248
- file: 3.127.138.57
- hash: 17425
- file: 103.178.228.103
- hash: 56999
- file: 188.40.130.169
- hash: 2140
- file: 212.64.215.188
- hash: 1337
- file: 84.38.130.181
- hash: 5200
- url: http://185.246.220.85/prof/five/fre.php
- url: http://45.137.65.70/privatesecureproton/test/78requestlocal/universalvideodatalifepublic/8/imageprocessortemporarymulti/7temp/0/securepacketprocessorwindowswordpress.php
- url: http://cw31476.tw1.ru/_defaultwindows.php
- url: http://116.203.125.44/507d5f6a261ae9ed.php
- url: http://nekxtu72.top/gate.php
- file: 185.216.13.77
- hash: 6779
- file: 5.154.181.54
- hash: 80
- file: 45.138.74.246
- hash: 23202
- url: http://ergrtgrtgwrgrgrgrgwregergerg.cloud/9046019a53d66236.php
- url: https://rifovekina.com/disable/it/jcq9le2ok2tg
- domain: rifovekina.com
- url: https://23.82.140.115/disable/it/jcq9le2ok2tg
- file: 23.82.140.115
- hash: 443
- url: http://1.12.62.177:35465/updates.rss
- url: http://85.209.135.29/cx
- url: http://185.143.223.128/g.pixel
- url: http://service-14dd1oy1-1301249313.bj.apigw.tencentcs.com/api/getit
- domain: service-14dd1oy1-1301249313.bj.apigw.tencentcs.com
- file: 123.249.25.224
- hash: 80
- file: 123.99.198.201
- hash: 20192
- file: 185.206.144.136
- hash: 23
- url: https://1.116.96.210:19443/load
- file: 124.248.67.68
- hash: 20192
- url: https://101.33.118.123/fwlink
- file: 101.33.118.123
- hash: 443
- url: https://103.150.173.202/pixel
- file: 103.150.173.202
- hash: 443
- url: http://193.42.33.249/pixel
- url: https://103.103.128.149:4443/fwlink
- file: 103.106.245.71
- hash: 53
- file: 103.106.245.71
- hash: 112
- domain: p10.sb1024.net
- domain: p6.fly1989.com
- domain: p5.2018fly.com
- domain: ww.dnstells.com
- domain: ww.gzcfr5axf6.com
- domain: ww.gzcfr5axf7.com
- domain: ww.myserv012.com
- domain: ww.search2c.com
- url: http://16.162.16.186:8080/wp06/wp-includes/po.php
- url: http://23.234.239.134:35661/ga.js
- file: 43.139.124.22
- hash: 6666
- file: 94.142.138.207
- hash: 41751
- url: http://hhs2.000webhostapp.com/index.php
- url: http://kvq9t8pe7ssjps8p4iqj.xyz
- url: http://5.9.130.44
- url: http://5.9.130.46
- url: http://sparrawx.net/
- url: http://mrbenlale.net/
- file: 193.233.20.33
- hash: 4125
- file: 34.147.114.77
- hash: 8800
- file: 89.203.129.99
- hash: 443
- url: http://904927.clmonth.nyashteam.top/nyashsupport.php
- file: 45.82.251.44
- hash: 443
- file: 84.38.133.19
- hash: 5200
- url: http://th852.com/zomgapt
- domain: th852.com
- file: 2.58.65.169
- hash: 80
- url: https://129.226.92.29/g.pixel
- url: http://123.57.194.64/ie9compatviewlist.xml
- hash: 788008b98d8bff8f880b888c29ddddfa7b02e1a49243caf97ee3af8d3646e890
- domain: skeptictyson.com
- domain: app.skeptictyson.com
- hash: e08da72431a91099ef721333af8f2a4c
ThreatFox IOCs for 2023-03-26
Description
ThreatFox IOCs for 2023-03-26
AI-Powered Analysis
Technical Analysis
The provided threat information pertains to a malware-related intelligence report titled "ThreatFox IOCs for 2023-03-26," sourced from ThreatFox, an OSINT (Open Source Intelligence) platform. The report appears to aggregate Indicators of Compromise (IOCs) relevant as of March 26, 2023. However, the data lacks specific details such as affected software versions, explicit malware family names, or technical indicators like hashes, IP addresses, or domains. The threat level is indicated as 2 on an unspecified scale, with an analysis rating of 1 and a distribution rating of 3, suggesting moderate dissemination but limited analytical depth. No known exploits in the wild are reported, and no patches or mitigations are linked. The absence of CWE identifiers and detailed technical descriptions limits the ability to pinpoint the exact nature or vector of the malware. The classification under "type:osint" and the TLP (Traffic Light Protocol) white tag imply that the information is publicly shareable and derived from open sources. Overall, this report serves as a general alert about malware-related IOCs circulating in the threat landscape as of the specified date, rather than a detailed vulnerability or exploit disclosure.
Potential Impact
Given the generic nature of the report and lack of specific technical details, the potential impact on European organizations is difficult to quantify precisely. However, malware threats typically pose risks to confidentiality, integrity, and availability of information systems. The moderate threat level and distribution rating suggest that the malware or associated IOCs may be moderately widespread, potentially targeting a range of organizations. European entities relying on OSINT platforms or threat intelligence feeds similar to ThreatFox could be indirectly impacted if they fail to incorporate these IOCs into their detection and response mechanisms. Without known exploits in the wild, immediate exploitation risk appears low, but the presence of malware IOCs signals ongoing reconnaissance or preparatory activity by threat actors. The lack of affected product versions and patch information implies that the threat may not be tied to a specific software vulnerability but rather to malware campaigns or infrastructure. Consequently, European organizations should remain vigilant, as malware infections can lead to data breaches, operational disruptions, and reputational damage.
Mitigation Recommendations
To effectively mitigate risks associated with this type of OSINT-derived malware intelligence, European organizations should: 1) Integrate ThreatFox and similar OSINT IOC feeds into their Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection capabilities. 2) Regularly update and tune intrusion detection/prevention systems (IDS/IPS) to recognize emerging malware indicators. 3) Conduct proactive threat hunting exercises using the latest IOCs to identify potential compromises early. 4) Maintain robust endpoint protection with behavioral analysis to detect malware that may not match known signatures. 5) Implement network segmentation and least privilege access controls to limit malware propagation. 6) Educate security teams on interpreting and operationalizing OSINT data effectively, ensuring timely response to new intelligence. 7) Establish incident response playbooks that incorporate OSINT-derived threat data to streamline containment and remediation. These measures go beyond generic advice by emphasizing the operational integration of OSINT feeds and proactive threat management tailored to the nature of the reported intelligence.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- e92acf88-07e4-4ef1-bbeb-76a432387eed
- Original Timestamp
- 1679875385
Indicators of Compromise
File
Value | Description | Copy |
---|---|---|
file78.171.173.96 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file45.66.248.114 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file45.227.252.9 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.21.52.245 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file46.161.27.160 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file212.113.116.143 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file96.49.241.146 | Tsunami botnet C2 server (confidence level: 75%) | |
file54.165.154.154 | Tsunami botnet C2 server (confidence level: 75%) | |
file103.161.185.156 | Tsunami botnet C2 server (confidence level: 75%) | |
file167.99.137.140 | Tsunami botnet C2 server (confidence level: 75%) | |
file94.142.138.199 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file139.180.143.50 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file139.180.143.50 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file139.180.143.50 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file139.180.143.50 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file135.181.49.56 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file3.127.138.57 | NjRAT botnet C2 server (confidence level: 100%) | |
file103.178.228.103 | Mirai botnet C2 server (confidence level: 75%) | |
file188.40.130.169 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file212.64.215.188 | Mirai botnet C2 server (confidence level: 75%) | |
file84.38.130.181 | Ave Maria botnet C2 server (confidence level: 100%) | |
file185.216.13.77 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file5.154.181.54 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file45.138.74.246 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file23.82.140.115 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.249.25.224 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.99.198.201 | NjRAT botnet C2 server (confidence level: 100%) | |
file185.206.144.136 | Mirai botnet C2 server (confidence level: 75%) | |
file124.248.67.68 | NjRAT botnet C2 server (confidence level: 100%) | |
file101.33.118.123 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.150.173.202 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.106.245.71 | XOR DDoS botnet C2 server (confidence level: 75%) | |
file103.106.245.71 | XOR DDoS botnet C2 server (confidence level: 75%) | |
file43.139.124.22 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file94.142.138.207 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file193.233.20.33 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file34.147.114.77 | Deimos botnet C2 server (confidence level: 50%) | |
file89.203.129.99 | BianLian botnet C2 server (confidence level: 50%) | |
file45.82.251.44 | IcedID botnet C2 server (confidence level: 75%) | |
file84.38.133.19 | Ave Maria botnet C2 server (confidence level: 100%) | |
file2.58.65.169 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Hash
Value | Description | Copy |
---|---|---|
hash1044 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash8899 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash29996 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash6667 | Tsunami botnet C2 server (confidence level: 75%) | |
hash6667 | Tsunami botnet C2 server (confidence level: 75%) | |
hash6667 | Tsunami botnet C2 server (confidence level: 75%) | |
hash6667 | Tsunami botnet C2 server (confidence level: 75%) | |
hash27213 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash11334 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash17248 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash17425 | NjRAT botnet C2 server (confidence level: 100%) | |
hash56999 | Mirai botnet C2 server (confidence level: 75%) | |
hash2140 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash1337 | Mirai botnet C2 server (confidence level: 75%) | |
hash5200 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash6779 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash80 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash23202 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash20192 | NjRAT botnet C2 server (confidence level: 100%) | |
hash23 | Mirai botnet C2 server (confidence level: 75%) | |
hash20192 | NjRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | XOR DDoS botnet C2 server (confidence level: 75%) | |
hash112 | XOR DDoS botnet C2 server (confidence level: 75%) | |
hash6666 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash41751 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash4125 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash8800 | Deimos botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | IcedID botnet C2 server (confidence level: 75%) | |
hash5200 | Ave Maria botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash788008b98d8bff8f880b888c29ddddfa7b02e1a49243caf97ee3af8d3646e890 | SpyNote payload (confidence level: 100%) | |
hashe08da72431a91099ef721333af8f2a4c | SpyNote payload (confidence level: 100%) |
Url
Value | Description | Copy |
---|---|---|
urlhttps://hufipeh.com/rn.css | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://45.227.252.9/updates/check | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://def30qw5ks4uw.cloudfront.net/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://185.246.220.85/prof/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://45.137.65.70/privatesecureproton/test/78requestlocal/universalvideodatalifepublic/8/imageprocessortemporarymulti/7temp/0/securepacketprocessorwindowswordpress.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://cw31476.tw1.ru/_defaultwindows.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://116.203.125.44/507d5f6a261ae9ed.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://nekxtu72.top/gate.php | CryptBot botnet C2 (confidence level: 100%) | |
urlhttp://ergrtgrtgwrgrgrgrgwregergerg.cloud/9046019a53d66236.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttps://rifovekina.com/disable/it/jcq9le2ok2tg | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://23.82.140.115/disable/it/jcq9le2ok2tg | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://1.12.62.177:35465/updates.rss | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://85.209.135.29/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://185.143.223.128/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://service-14dd1oy1-1301249313.bj.apigw.tencentcs.com/api/getit | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://1.116.96.210:19443/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://101.33.118.123/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://103.150.173.202/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://193.42.33.249/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://103.103.128.149:4443/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://16.162.16.186:8080/wp06/wp-includes/po.php | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://23.234.239.134:35661/ga.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://hhs2.000webhostapp.com/index.php | Azorult botnet C2 (confidence level: 100%) | |
urlhttp://kvq9t8pe7ssjps8p4iqj.xyz | Alien botnet C2 (confidence level: 80%) | |
urlhttp://5.9.130.44 | Alien botnet C2 (confidence level: 80%) | |
urlhttp://5.9.130.46 | Alien botnet C2 (confidence level: 80%) | |
urlhttp://sparrawx.net/ | Alien botnet C2 (confidence level: 80%) | |
urlhttp://mrbenlale.net/ | Alien botnet C2 (confidence level: 80%) | |
urlhttp://904927.clmonth.nyashteam.top/nyashsupport.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://th852.com/zomgapt | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://129.226.92.29/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://123.57.194.64/ie9compatviewlist.xml | Cobalt Strike botnet C2 (confidence level: 100%) |
Domain
Value | Description | Copy |
---|---|---|
domainhufipeh.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaindef30qw5ks4uw.cloudfront.net | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainirc.byroe.org | Tsunami botnet C2 domain (confidence level: 100%) | |
domainrifovekina.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainservice-14dd1oy1-1301249313.bj.apigw.tencentcs.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainp10.sb1024.net | XOR DDoS botnet C2 domain (confidence level: 100%) | |
domainp6.fly1989.com | XOR DDoS botnet C2 domain (confidence level: 100%) | |
domainp5.2018fly.com | XOR DDoS botnet C2 domain (confidence level: 100%) | |
domainww.dnstells.com | XOR DDoS botnet C2 domain (confidence level: 100%) | |
domainww.gzcfr5axf6.com | XOR DDoS botnet C2 domain (confidence level: 100%) | |
domainww.gzcfr5axf7.com | XOR DDoS botnet C2 domain (confidence level: 100%) | |
domainww.myserv012.com | XOR DDoS botnet C2 domain (confidence level: 100%) | |
domainww.search2c.com | XOR DDoS botnet C2 domain (confidence level: 100%) | |
domainth852.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainskeptictyson.com | SpyNote payload delivery domain (confidence level: 100%) | |
domainapp.skeptictyson.com | SpyNote payload delivery domain (confidence level: 100%) |
Threat ID: 682c7ac1e3e6de8ceb76715e
Added to database: 5/20/2025, 12:51:13 PM
Last enriched: 6/19/2025, 2:18:04 PM
Last updated: 8/18/2025, 12:54:47 PM
Views: 15
Related Threats
ThreatFox IOCs for 2025-08-18
MediumFake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.