Skip to main content

ThreatFox IOCs for 2023-08-11

Medium
Published: Fri Aug 11 2023 (08/11/2023, 00:00:00 UTC)
Source: MISP

Description

ThreatFox IOCs for 2023-08-11

AI-Powered Analysis

AILast updated: 06/17/2025, 10:34:29 UTC

Technical Analysis

The provided information pertains to a set of ThreatFox Indicators of Compromise (IOCs) published on August 11, 2023. ThreatFox is a platform that aggregates and shares threat intelligence, primarily focusing on IOCs such as malicious IP addresses, domains, URLs, file hashes, and other artifacts linked to cyber threats. However, in this specific case, the data lacks detailed technical specifics such as affected software versions, vulnerability types, or exploit mechanisms. The threat is categorized as 'unknown' type with no associated Common Weakness Enumerations (CWEs) or patch information, indicating that it is likely a collection of raw threat intelligence rather than a description of a specific vulnerability or exploit. The severity is marked as medium, with a threat level of 2 (on an unspecified scale), analysis level 1, and distribution level 3, suggesting moderate confidence and dissemination of the intelligence. No known exploits in the wild have been reported, and no indicators are provided in the data. The tags indicate the data is open source intelligence (OSINT) and is shared under a white Traffic Light Protocol (TLP) classification, meaning it is intended for public sharing. Overall, this entry appears to be a routine update of threat intelligence IOCs without immediate actionable technical details or direct exploit information.

Potential Impact

Given the lack of specific technical details, affected systems, or known exploits, the direct impact of this threat intelligence update on European organizations is limited. However, the dissemination of IOCs can aid defenders in identifying and mitigating potential threats early. If these IOCs correspond to malicious infrastructure targeting European entities, organizations could face risks such as intrusion attempts, data exfiltration, or malware infections. The medium severity suggests a moderate level of concern, possibly reflecting the presence of active threat actors or campaigns associated with these IOCs. European organizations relying on threat intelligence feeds should integrate these IOCs into their detection systems to enhance situational awareness. Without concrete exploit details, the immediate risk to confidentiality, integrity, or availability is uncertain but should not be disregarded, especially for sectors with high exposure to cyber threats such as finance, critical infrastructure, and government.

Mitigation Recommendations

1. Integrate ThreatFox IOCs into existing Security Information and Event Management (SIEM) and Intrusion Detection/Prevention Systems (IDS/IPS) to enable automated detection and alerting on related malicious activity. 2. Conduct regular threat hunting exercises using the latest IOCs to proactively identify potential compromises within the network. 3. Maintain up-to-date threat intelligence sharing with trusted partners and Information Sharing and Analysis Centers (ISACs) to contextualize these IOCs within broader attack trends. 4. Enhance network segmentation and implement strict egress filtering to limit the impact of any potential intrusion linked to these IOCs. 5. Train security operations teams to recognize patterns associated with the types of threats typically reported by ThreatFox, improving response times. 6. Since no patches or specific vulnerabilities are indicated, focus on strengthening general cybersecurity hygiene, including timely patching of known vulnerabilities, multi-factor authentication, and least privilege access controls.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
1
Distribution
3

Indicators of Compromise

Url

ValueDescriptionCopy
urlhttp://116.203.166.240:27015/
Vidar botnet C2 (confidence level: 100%)
urlhttp://gcl-page.biz/stats/save.php
CCleaner Backdoor botnet C2 (confidence level: 100%)
urlhttp://gcl-page.biz/check.php
CCleaner Backdoor botnet C2 (confidence level: 100%)
urlhttp://beerword.xyz/
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttp://45.9.74.70/2bfwen6kgtm/index.php
Amadey botnet C2 (confidence level: 100%)
urlhttp://185.161.251.195/7basedbpoll/1/test/provider/processordefault.php
DCRat botnet C2 (confidence level: 100%)
urlhttp://94.156.253.25/en_us/all.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://91.103.252.140/
RecordBreaker botnet C2 (confidence level: 100%)
urlhttp://216.128.145.196/~wellseconds/?p=060773029
Loki Password Stealer (PWS) botnet C2 (confidence level: 100%)
urlhttp://77.91.68.18/nice/index.php
Amadey botnet C2 (confidence level: 100%)
urlhttp://216.128.145.196/~wellseconds/?p=529497154189253
Loki Password Stealer (PWS) botnet C2 (confidence level: 100%)
urlhttp://154.90.57.70/load
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://23.234.254.155:4433/g.pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://vps.cpple.tk:4433/match
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://nesanocige.us:443/files/favicon.ico
Cobalt Strike botnet C2 (confidence level: 75%)
urlhttps://198.46.226.96/visit.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://103.44.244.230/pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://36.140.61.132:8080/ie9compatviewlist.xml
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://149.129.72.37:8880/g.pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://45.42.160.55
JanelaRAT payload delivery URL (confidence level: 100%)
urlhttp://175.178.80.121:8001/ga.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://192.168.216.152/p/freemail/lib/polyfill/es5-polyfill.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://23.92.208.51/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://154.9.253.54/api/3
Cobalt Strike botnet C2 (confidence level: 100%)

Ip dst|port

ValueDescriptionCopy
ip-dst|port80.85.157.78|28552
RedLine Stealer botnet C2 server (confidence level: 100%)
ip-dst|port168.100.10.122|8081
RisePro botnet C2 server (confidence level: 50%)
ip-dst|port77.126.0.168|443
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port185.147.34.178|55615
RedLine Stealer botnet C2 server (confidence level: 100%)
ip-dst|port94.156.253.26|80
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port94.156.253.25|80
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port39.49.48.18|995
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port45.65.49.230|443
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port86.96.75.225|2222
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port100.4.182.242|2222
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port200.91.114.90|443
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port197.87.143.210|443
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port31.53.29.199|2222
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port113.193.95.237|443
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port77.91.68.18|80
Amadey botnet C2 server (confidence level: 50%)
ip-dst|port66.35.127.81|2222
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port117.202.205.136|993
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port64.188.19.202|1604
Remcos botnet C2 server (confidence level: 75%)
ip-dst|port89.23.100.178|7872
RedLine Stealer botnet C2 server (confidence level: 100%)
ip-dst|port75.156.126.33|995
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port197.2.159.74|443
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port198.46.226.96|443
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port103.44.244.230|443
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port104.161.94.37|3001
JanelaRAT botnet C2 server (confidence level: 100%)
ip-dst|port209.250.242.222|27532
RedLine Stealer botnet C2 server (confidence level: 100%)
ip-dst|port118.107.46.132|31337
Sliver botnet C2 server (confidence level: 50%)
ip-dst|port118.107.46.132|8888
Sliver botnet C2 server (confidence level: 50%)
ip-dst|port100.36.21.114|31337
Sliver botnet C2 server (confidence level: 50%)
ip-dst|port100.36.21.114|8888
Sliver botnet C2 server (confidence level: 50%)
ip-dst|port118.107.46.131|31337
Sliver botnet C2 server (confidence level: 50%)
ip-dst|port118.107.46.131|8888
Sliver botnet C2 server (confidence level: 50%)
ip-dst|port118.107.46.133|8888
Sliver botnet C2 server (confidence level: 50%)
ip-dst|port118.107.46.133|31337
Sliver botnet C2 server (confidence level: 50%)
ip-dst|port194.87.236.17|8888
Sliver botnet C2 server (confidence level: 50%)
ip-dst|port194.87.236.17|31337
Sliver botnet C2 server (confidence level: 50%)
ip-dst|port91.103.253.43|443
Brute Ratel C4 botnet C2 server (confidence level: 50%)
ip-dst|port146.190.219.130|443
Brute Ratel C4 botnet C2 server (confidence level: 50%)
ip-dst|port35.74.154.31|80
Brute Ratel C4 botnet C2 server (confidence level: 50%)
ip-dst|port64.176.168.231|80
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port188.124.39.62|7443
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port146.190.38.149|7443
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port103.225.198.216|7443
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port167.99.194.103|7443
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port3.78.199.107|9000
Deimos botnet C2 server (confidence level: 50%)
ip-dst|port36.138.134.148|8443
Deimos botnet C2 server (confidence level: 50%)
ip-dst|port124.24.58.252|9090
Deimos botnet C2 server (confidence level: 50%)
ip-dst|port23.163.0.228|4772
BianLian botnet C2 server (confidence level: 50%)
ip-dst|port109.248.6.223|8443
BianLian botnet C2 server (confidence level: 50%)
ip-dst|port135.125.250.237|3170
BianLian botnet C2 server (confidence level: 50%)
ip-dst|port208.123.119.153|4486
BianLian botnet C2 server (confidence level: 50%)
ip-dst|port194.156.98.226|20143
BianLian botnet C2 server (confidence level: 50%)
ip-dst|port103.20.235.154|2561
BianLian botnet C2 server (confidence level: 50%)
ip-dst|port43.153.87.78|443
Havoc botnet C2 server (confidence level: 50%)
ip-dst|port176.31.163.140|80
Havoc botnet C2 server (confidence level: 50%)
ip-dst|port176.31.163.140|443
Havoc botnet C2 server (confidence level: 50%)
ip-dst|port146.190.29.203|80
Havoc botnet C2 server (confidence level: 50%)
ip-dst|port20.160.143.1|443
Havoc botnet C2 server (confidence level: 50%)
ip-dst|port52.61.243.196|445
Responder botnet C2 server (confidence level: 50%)
ip-dst|port52.61.243.196|80
Responder botnet C2 server (confidence level: 50%)
ip-dst|port52.61.243.196|443
Responder botnet C2 server (confidence level: 50%)
ip-dst|port104.194.222.50|445
Responder botnet C2 server (confidence level: 50%)
ip-dst|port51.75.91.172|5985
Responder botnet C2 server (confidence level: 50%)
ip-dst|port51.75.91.172|445
Responder botnet C2 server (confidence level: 50%)
ip-dst|port15.200.170.168|80
Responder botnet C2 server (confidence level: 50%)
ip-dst|port15.200.170.168|445
Responder botnet C2 server (confidence level: 50%)
ip-dst|port137.184.225.245|443
Responder botnet C2 server (confidence level: 50%)
ip-dst|port141.164.54.106|445
Responder botnet C2 server (confidence level: 50%)
ip-dst|port34.150.43.70|443
pupy botnet C2 server (confidence level: 50%)
ip-dst|port46.246.232.45|995
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port154.12.254.215|46452
DCRat botnet C2 server (confidence level: 50%)
ip-dst|port164.92.144.116|80
IcedID botnet C2 server (confidence level: 75%)
ip-dst|port143.110.241.178|80
IcedID botnet C2 server (confidence level: 75%)
ip-dst|port159.223.95.82|80
IcedID botnet C2 server (confidence level: 75%)
ip-dst|port176.124.32.164|80
IcedID botnet C2 server (confidence level: 75%)
ip-dst|port167.71.35.189|80
IcedID botnet C2 server (confidence level: 75%)
ip-dst|port185.153.182.156|80
IcedID botnet C2 server (confidence level: 75%)
ip-dst|port128.199.151.179|80
IcedID botnet C2 server (confidence level: 75%)
ip-dst|port43.138.230.201|443
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port23.92.208.51|443
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port154.9.253.54|443
Cobalt Strike botnet C2 server (confidence level: 100%)

Domain

ValueDescriptionCopy
domain439mdxmex.damnserver.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domain897midasgold.ddns.me
JanelaRAT botnet C2 domain (confidence level: 100%)
domain9mdxmex.damnserver.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domainaigodmoney009.access.ly
JanelaRAT botnet C2 domain (confidence level: 100%)
domainaskmrpc747bm.mymediapc.net
JanelaRAT botnet C2 domain (confidence level: 100%)
domainbrockmex57.golffan.us
JanelaRAT botnet C2 domain (confidence level: 100%)
domaincinfintymex.geekgalaxy.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domaincnt-blackrock.geekgalaxy.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domaindisrupmoney979.ditchyourip.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domaindmrpc77bm.myactivedirectory.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domainfreelascdmx979.couchpotatofries.org
JanelaRAT botnet C2 domain (confidence level: 100%)
domainhotdiamond777.loginto.me
JanelaRAT botnet C2 domain (confidence level: 100%)
domaini89bydzi.dynns.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domainikmidasgold.ddns.me
JanelaRAT botnet C2 domain (confidence level: 100%)
domainimrpc7987bm.mmafan.biz
JanelaRAT botnet C2 domain (confidence level: 100%)
domaininfintymex747.geekgalaxy.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domaininfintymexb.geekgalaxy.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domaininfintymexbrock.geekgalaxy.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domainirocketxmtm.hopto.me
JanelaRAT botnet C2 domain (confidence level: 100%)
domainizt89bydzi.dynns.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domainj1d3c3mex.homesecuritypc.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domainjinfintymexbr.geekgalaxy.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domainjxjmrpc797bm.mydissent.net
JanelaRAT botnet C2 domain (confidence level: 100%)
domainkakarotomx.dnsfor.me
JanelaRAT botnet C2 domain (confidence level: 100%)
domainkktkarotomx.dnsfor.me
JanelaRAT botnet C2 domain (confidence level: 100%)
domainmegaskigoldmex.dvrcam.info
JanelaRAT botnet C2 domain (confidence level: 100%)
domainminfintymexbr.geekgalaxy.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domainmyfunbmdablo99.hosthampster.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domainmyinfintyme09.geekgalaxy.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domainrexsrupmoney979.ditchyourip.com
JanelaRAT botnet C2 domain (confidence level: 100%)
domainskigoldmex.dvrcam.info
JanelaRAT botnet C2 domain (confidence level: 100%)
domainzeedinfintymexbrock.geekgalaxy.com
JanelaRAT botnet C2 domain (confidence level: 100%)

Threat ID: 6828eab9e1a0c275ea6e31d9

Added to database: 5/17/2025, 7:59:53 PM

Last enriched: 6/17/2025, 10:34:29 AM

Last updated: 8/14/2025, 6:18:51 PM

Views: 21

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats