Skip to main content

ThreatFox IOCs for 2023-09-07

Medium
Published: Thu Sep 07 2023 (09/07/2023, 00:00:00 UTC)
Source: ThreatFox
Vendor/Project: type
Product: osint

Description

ThreatFox IOCs for 2023-09-07

AI-Powered Analysis

AILast updated: 06/18/2025, 07:51:15 UTC

Technical Analysis

The provided threat information pertains to a set of Indicators of Compromise (IOCs) published on September 7, 2023, by ThreatFox, a platform specializing in sharing threat intelligence and malware-related data. The threat is categorized as malware-related and is associated with OSINT (Open Source Intelligence) products or data. However, the details are limited, with no specific affected software versions, no identified Common Weakness Enumerations (CWEs), and no known exploits in the wild. The technical details indicate a moderate threat level (threatLevel: 2 on an unspecified scale), moderate analysis confidence (analysis: 1), and a higher distribution factor (distribution: 3), suggesting the IOCs may be widely disseminated or relevant to multiple targets. The absence of concrete technical indicators, patch links, or exploit details limits the ability to pinpoint exact attack vectors or malware behavior. Given the nature of ThreatFox as a repository for threat intelligence, this entry likely represents a collection of IOCs related to malware campaigns or infrastructure observed around the publication date rather than a single exploit or vulnerability. The medium severity rating assigned by the source aligns with the moderate threat level and distribution, indicating a potential risk that requires attention but does not currently represent an immediate critical threat. The lack of authentication or user interaction requirements is not explicitly stated, but given the OSINT context, these IOCs might be used for detection and prevention rather than representing a direct exploit requiring user action.

Potential Impact

For European organizations, the impact of this threat primarily revolves around the potential for malware infections or compromise through the indicators shared. Since the threat details are generic and no specific malware family or attack vector is identified, the risk lies in the possibility that these IOCs correspond to active or emerging malware campaigns targeting various sectors. The distribution factor suggests that multiple organizations or systems could be targeted or affected. Potential impacts include unauthorized access, data exfiltration, disruption of services, or lateral movement within networks if the malware is successfully deployed. The medium severity implies that while the threat is notable, it may not lead to widespread or catastrophic damage without additional factors such as targeted exploitation or vulnerabilities. European organizations with extensive exposure to open-source intelligence feeds or those relying on automated threat detection systems incorporating ThreatFox data may benefit from early warnings but must remain vigilant. The lack of known exploits in the wild reduces immediate risk but does not preclude future exploitation or the emergence of related malware variants.

Mitigation Recommendations

Given the nature of the threat as a set of IOCs rather than a specific vulnerability or exploit, mitigation should focus on enhancing detection and response capabilities. European organizations should integrate the latest ThreatFox IOCs into their Security Information and Event Management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools to identify potential malware activity promptly. Regularly updating threat intelligence feeds and correlating these IOCs with internal logs can improve early detection. Network segmentation and strict access controls can limit malware propagation if an infection occurs. Conducting threat hunting exercises using these IOCs can proactively identify compromised assets. Additionally, organizations should ensure robust patch management for all systems to reduce the attack surface, even though no specific patches are linked to this threat. Employee awareness training remains critical to reduce the risk of malware delivery via phishing or social engineering, which often accompany malware campaigns. Finally, sharing intelligence with relevant European cybersecurity information sharing organizations can enhance collective defense.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
1
Distribution
3
Uuid
f97d95a2-3d3a-4889-af8e-36b2c7438c31
Original Timestamp
1694131386

Indicators of Compromise

Domain

ValueDescriptionCopy
domainsept6amd.tuktuk.ug
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainadmlogs77x.online
SmokeLoader botnet C2 domain (confidence level: 100%)
domainblogxstat25.xyz
SmokeLoader botnet C2 domain (confidence level: 100%)
domainblogxstat38.xyz
SmokeLoader botnet C2 domain (confidence level: 100%)
domaindemblog289.xyz
SmokeLoader botnet C2 domain (confidence level: 100%)
domainserverxlogs21.xyz
SmokeLoader botnet C2 domain (confidence level: 100%)
domainservxblog79.xyz
SmokeLoader botnet C2 domain (confidence level: 100%)
domainvvooowkdqddcqcqcdqggggl.site
Unknown malware payload delivery domain (confidence level: 100%)
domainstats-best.site
Unknown malware payload delivery domain (confidence level: 100%)
domainmenufreith.sytes.net
Loki Password Stealer (PWS) botnet C2 domain (confidence level: 50%)
domainqianxin.edr-down.uk
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainfresh1.oracover.buzz
Loki Password Stealer (PWS) botnet C2 domain (confidence level: 50%)
domainfwe43.danamoninternal.com
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainfxe12.danamoninternal.com
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainpiac.elsewhens.org
Cobalt Strike botnet C2 domain (confidence level: 100%)
domaindns.elsewhens.org
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainservice-oshdwnr7-1306743016.bj.apigw.tencentcs.com
Cobalt Strike botnet C2 domain (confidence level: 100%)
domaincs.sharksbaby.pro
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainlisten.appstored.store
Cobalt Strike botnet C2 domain (confidence level: 100%)

File

ValueDescriptionCopy
file89.117.74.176
AdWind botnet C2 server (confidence level: 100%)
file89.117.74.176
AdWind botnet C2 server (confidence level: 100%)
file89.117.74.176
AdWind botnet C2 server (confidence level: 100%)
file18.158.249.75
NjRAT botnet C2 server (confidence level: 100%)
file35.158.159.254
NjRAT botnet C2 server (confidence level: 100%)
file3.127.253.86
NjRAT botnet C2 server (confidence level: 100%)
file52.28.112.211
NjRAT botnet C2 server (confidence level: 100%)
file18.198.77.177
NjRAT botnet C2 server (confidence level: 100%)
file43.140.252.169
SparkRAT botnet C2 server (confidence level: 75%)
file51.222.196.70
Unknown malware botnet C2 server (confidence level: 50%)
file44.211.190.165
Unknown malware botnet C2 server (confidence level: 50%)
file73.196.213.146
Havoc botnet C2 server (confidence level: 50%)
file117.50.178.24
Havoc botnet C2 server (confidence level: 50%)
file18.184.92.206
Responder botnet C2 server (confidence level: 50%)
file114.115.129.32
pupy botnet C2 server (confidence level: 50%)
file113.31.116.173
Unknown malware botnet C2 server (confidence level: 50%)
file80.85.241.108
Vidar botnet C2 server (confidence level: 100%)
file124.223.222.199
Cobalt Strike botnet C2 server (confidence level: 100%)
file150.158.173.125
Cobalt Strike botnet C2 server (confidence level: 100%)
file85.111.90.157
Cobalt Strike botnet C2 server (confidence level: 100%)
file13.229.134.180
Cobalt Strike botnet C2 server (confidence level: 100%)
file209.25.141.229
NjRAT botnet C2 server (confidence level: 100%)
file3.67.112.102
NjRAT botnet C2 server (confidence level: 100%)
file3.67.62.142
NjRAT botnet C2 server (confidence level: 100%)
file3.64.4.198
NjRAT botnet C2 server (confidence level: 100%)
file5.75.211.215
RedLine Stealer botnet C2 server (confidence level: 100%)
file79.110.48.87
Remcos botnet C2 server (confidence level: 100%)
file3.22.30.40
NjRAT botnet C2 server (confidence level: 100%)
file3.134.125.175
NjRAT botnet C2 server (confidence level: 100%)
file3.13.191.225
NjRAT botnet C2 server (confidence level: 100%)
file3.14.182.203
NjRAT botnet C2 server (confidence level: 100%)
file194.180.48.160
Ave Maria botnet C2 server (confidence level: 100%)
file45.12.253.107
AsyncRAT botnet C2 server (confidence level: 100%)
file45.12.253.107
AsyncRAT botnet C2 server (confidence level: 75%)
file3.125.209.94
NjRAT botnet C2 server (confidence level: 100%)
file3.125.223.134
NjRAT botnet C2 server (confidence level: 100%)
file3.124.142.205
NjRAT botnet C2 server (confidence level: 100%)
file3.125.102.39
NjRAT botnet C2 server (confidence level: 100%)
file18.192.31.165
NjRAT botnet C2 server (confidence level: 100%)
file150.158.173.125
Cobalt Strike botnet C2 server (confidence level: 100%)
file185.225.75.68
Ave Maria botnet C2 server (confidence level: 100%)
file172.233.240.65
Sliver botnet C2 server (confidence level: 50%)
file172.233.240.65
Sliver botnet C2 server (confidence level: 50%)
file118.193.37.157
Sliver botnet C2 server (confidence level: 50%)
file91.223.208.155
Brute Ratel C4 botnet C2 server (confidence level: 50%)
file170.178.201.212
Unknown malware botnet C2 server (confidence level: 50%)
file204.152.203.90
BianLian botnet C2 server (confidence level: 50%)
file212.118.42.117
BianLian botnet C2 server (confidence level: 50%)
file34.207.174.202
BianLian botnet C2 server (confidence level: 50%)
file167.172.86.3
Havoc botnet C2 server (confidence level: 50%)
file206.188.197.20
Havoc botnet C2 server (confidence level: 50%)
file73.196.213.146
Havoc botnet C2 server (confidence level: 50%)
file24.199.106.201
Havoc botnet C2 server (confidence level: 50%)
file209.51.171.194
Responder botnet C2 server (confidence level: 50%)
file18.184.92.206
Responder botnet C2 server (confidence level: 50%)
file18.184.92.206
Responder botnet C2 server (confidence level: 50%)
file63.34.170.255
Responder botnet C2 server (confidence level: 50%)
file185.82.200.121
Unknown malware botnet C2 server (confidence level: 50%)
file45.145.229.102
Unknown malware botnet C2 server (confidence level: 50%)
file42.228.212.209
Unknown malware botnet C2 server (confidence level: 50%)
file179.13.2.154
Remcos botnet C2 server (confidence level: 100%)
file185.132.125.151
Cobalt Strike botnet C2 server (confidence level: 100%)
file47.110.149.136
Cobalt Strike botnet C2 server (confidence level: 100%)
file194.15.102.26
Cobalt Strike botnet C2 server (confidence level: 100%)
file141.98.6.249
Loki Password Stealer (PWS) botnet C2 server (confidence level: 50%)
file193.109.120.108
IcedID botnet C2 server (confidence level: 75%)
file66.63.168.126
IcedID botnet C2 server (confidence level: 75%)
file38.207.179.124
Cobalt Strike botnet C2 server (confidence level: 100%)
file194.26.192.178
RedLine Stealer botnet C2 server (confidence level: 100%)
file13.229.134.180
Cobalt Strike botnet C2 server (confidence level: 100%)

Hash

ValueDescriptionCopy
hash2626
AdWind botnet C2 server (confidence level: 100%)
hash8081
AdWind botnet C2 server (confidence level: 100%)
hash9090
AdWind botnet C2 server (confidence level: 100%)
hash19120
NjRAT botnet C2 server (confidence level: 100%)
hash15300
NjRAT botnet C2 server (confidence level: 100%)
hash15300
NjRAT botnet C2 server (confidence level: 100%)
hash15300
NjRAT botnet C2 server (confidence level: 100%)
hash15300
NjRAT botnet C2 server (confidence level: 100%)
hash8000
SparkRAT botnet C2 server (confidence level: 75%)
hash443
Unknown malware botnet C2 server (confidence level: 50%)
hash80
Unknown malware botnet C2 server (confidence level: 50%)
hash80
Havoc botnet C2 server (confidence level: 50%)
hash8088
Havoc botnet C2 server (confidence level: 50%)
hash443
Responder botnet C2 server (confidence level: 50%)
hash18443
pupy botnet C2 server (confidence level: 50%)
hash8888
Unknown malware botnet C2 server (confidence level: 50%)
hash80
Vidar botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash54720
NjRAT botnet C2 server (confidence level: 100%)
hash10309
NjRAT botnet C2 server (confidence level: 100%)
hash10309
NjRAT botnet C2 server (confidence level: 100%)
hash10309
NjRAT botnet C2 server (confidence level: 100%)
hash40309
RedLine Stealer botnet C2 server (confidence level: 100%)
hash2402
Remcos botnet C2 server (confidence level: 100%)
hash25565
NjRAT botnet C2 server (confidence level: 100%)
hash25565
NjRAT botnet C2 server (confidence level: 100%)
hash25565
NjRAT botnet C2 server (confidence level: 100%)
hash25565
NjRAT botnet C2 server (confidence level: 100%)
hash4898
Ave Maria botnet C2 server (confidence level: 100%)
hash6606
AsyncRAT botnet C2 server (confidence level: 100%)
hash7707
AsyncRAT botnet C2 server (confidence level: 75%)
hash15305
NjRAT botnet C2 server (confidence level: 100%)
hash15305
NjRAT botnet C2 server (confidence level: 100%)
hash15305
NjRAT botnet C2 server (confidence level: 100%)
hash15305
NjRAT botnet C2 server (confidence level: 100%)
hash15305
NjRAT botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash2222
Ave Maria botnet C2 server (confidence level: 100%)
hash31337
Sliver botnet C2 server (confidence level: 50%)
hash8888
Sliver botnet C2 server (confidence level: 50%)
hash31337
Sliver botnet C2 server (confidence level: 50%)
hash8443
Brute Ratel C4 botnet C2 server (confidence level: 50%)
hash7443
Unknown malware botnet C2 server (confidence level: 50%)
hash5903
BianLian botnet C2 server (confidence level: 50%)
hash443
BianLian botnet C2 server (confidence level: 50%)
hash443
BianLian botnet C2 server (confidence level: 50%)
hash8080
Havoc botnet C2 server (confidence level: 50%)
hash443
Havoc botnet C2 server (confidence level: 50%)
hash443
Havoc botnet C2 server (confidence level: 50%)
hash443
Havoc botnet C2 server (confidence level: 50%)
hash445
Responder botnet C2 server (confidence level: 50%)
hash80
Responder botnet C2 server (confidence level: 50%)
hash445
Responder botnet C2 server (confidence level: 50%)
hash5986
Responder botnet C2 server (confidence level: 50%)
hash8888
Unknown malware botnet C2 server (confidence level: 50%)
hash8888
Unknown malware botnet C2 server (confidence level: 50%)
hash8888
Unknown malware botnet C2 server (confidence level: 50%)
hash8000
Remcos botnet C2 server (confidence level: 100%)
hash53
Cobalt Strike botnet C2 server (confidence level: 100%)
hash8888
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash8383
Loki Password Stealer (PWS) botnet C2 server (confidence level: 50%)
hash80
IcedID botnet C2 server (confidence level: 75%)
hash80
IcedID botnet C2 server (confidence level: 75%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash29662
RedLine Stealer botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)

Url

ValueDescriptionCopy
urlhttps://vvooowkdqddcqcqcdqggggl.site/vvmd54/
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttp://46.18.107.229/wordpressvmimagepacket/1/temporarysql76/phplow2eternal/temphttpvoiddb0/togeo/imagebase/to/64packettest/securelongpoll/better/7/windows58/line/6voiddbcentral/jsupdatewordpress.php
DCRat botnet C2 (confidence level: 100%)
urlhttp://fresh1.oracover.buzz/_errorpages/fresh1/five/fre.php
Loki Password Stealer (PWS) botnet C2 (confidence level: 100%)
urlhttp://5.161.188.133/69b3ae67feef2db7.php
Stealc botnet C2 (confidence level: 100%)
urlhttp://menufreith.sytes.net:8383/ijbjvdgfsh/panel/five/fre.php
Loki Password Stealer (PWS) botnet C2 (confidence level: 75%)
urlhttp://popopuns.club
Alien botnet C2 (confidence level: 80%)
urlhttp://uniquebbs.asia
Alien botnet C2 (confidence level: 80%)
urlhttp://avvmain.online
Alien botnet C2 (confidence level: 80%)
urlhttp://62.109.0.255/uploadslinuximage5/processor6/cdn/dbgenerator/mariadbgeo/flowerlinux5/mariadbpipesecure/5secure/polldle1provider/protectdownloads/7update2test/localdefault/line/track/eternal8/trackjavascriptapi/pollasynccdncentral.php
DCRat botnet C2 (confidence level: 100%)
urlhttp://80.85.241.108/
Vidar botnet C2 (confidence level: 100%)
urlhttp://80.85.241.108/liux.zip
Vidar botnet C2 (confidence level: 100%)
urlhttps://124.223.222.199/ie9compatviewlist.xml
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://qianxin.edr-down.uk/owa/
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://sybercodesilver.lol/ptj
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://13.229.134.180/_/scs/mail-static/_/js/
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://poqwjoemqzmemzgqegzqzf.online/vvmd54/
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttp://qianxin.edr-down.uk/owa/
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://141.98.6.249/vdgfsh/panel/five/fre.php
Loki Password Stealer (PWS) botnet C2 (confidence level: 100%)
urlhttp://141.98.6.249:8383/vdgfsh/panel/five/fre.php
Loki Password Stealer (PWS) botnet C2 (confidence level: 75%)
urlhttps://fwe43.danamoninternal.com/jquery-3.6.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://fxe12.danamoninternal.com/jquery-3.6.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://116.62.138.140:8081/ie9compatviewlist.xml
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://service-oshdwnr7-1306743016.bj.apigw.tencentcs.com/api/ymget0905
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://152.136.35.240/en_us/all.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://165.154.130.222:4444/match
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://165.154.130.222:1234/ga.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://service-oshdwnr7-1306743016.bj.apigw.tencentcs.com/api/ymget0905
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://124.221.183.95:9966/__utm.gif
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://119.3.177.241:8888/ca
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://139.199.180.136/pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://82.157.101.73:88/push
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://49.232.197.218:8092/g.pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://139.159.203.44:8001/load
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://120.53.86.130:8443/level/v5.7/azf0zh83ykv
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://43.153.222.28:4646/ga.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://124.220.189.137:8888/clemente/details
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://139.155.42.254:111/j.ad
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://198.98.52.184:20001/en_us/all.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://192.144.234.209/ptj
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://43.153.222.28/cx
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://152.136.47.4/fwlink
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://118.89.71.205:9999/cm
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://110.40.184.247/pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://api.0nedriveup.com/__utm.gif
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://1.15.244.128:8088/dpixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://175.24.163.235/match
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://cs.sharksbaby.pro/destroy/v6.82/e4qyn5hvxj
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://45.94.42.61:8091/activity
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://38.207.179.124/pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://116.204.104.60:808/push
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://116.62.114.96:8080/jquery-3.3.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://listen.appstored.store/apple-3.3.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://13.229.134.180/_/scs/mail-static/_/js/
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://br3dq.shop/pl341/index.php
Azorult botnet C2 (confidence level: 100%)

Threat ID: 682acdc4bbaf20d303f216c9

Added to database: 5/19/2025, 6:20:52 AM

Last enriched: 6/18/2025, 7:51:15 AM

Last updated: 8/18/2025, 12:37:40 PM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats