Skip to main content
Radar
DashboardThreatsMapFeedsAPI
reconnecting

ThreatFox IOCs for 2023-09-08

Medium
Malwaretype:osinttlp:white
Published: Fri Sep 08 2023 (09/08/2023, 00:00:00 UTC)
Source: ThreatFox MISP Feed
Vendor/Project: type
Product: osint

Description

ThreatFox IOCs for 2023-09-08

AI-Powered Analysis

AILast updated: 07/05/2025, 23:10:59 UTC

Technical Analysis

The provided information pertains to a set of Indicators of Compromise (IOCs) published on September 8, 2023, by the ThreatFox MISP Feed. These IOCs are related to malware activities categorized under OSINT (Open Source Intelligence), network activity, and payload delivery. However, the data lacks specific technical details such as affected software versions, detailed attack vectors, or explicit malware behavior. The threat level is indicated as medium with a threatLevel score of 2, analysis score of 1, and distribution score of 3, suggesting moderate concern but limited immediate danger. No known exploits in the wild or patches are available, and there are no CWE identifiers linked to this threat, indicating that it may be a newly observed or emerging threat without established exploit patterns. The absence of indicators in the provided data limits the ability to perform detailed forensic or detection rule development. Overall, this appears to be a general alert about malware-related IOCs disseminated for situational awareness rather than a specific, active exploit or vulnerability targeting particular systems.

Potential Impact

For European organizations, the impact of this threat is currently limited due to the lack of detailed exploit information and absence of known active exploitation. However, the presence of malware-related IOCs and payload delivery mechanisms implies potential risks if these indicators are linked to targeted campaigns or if they evolve into active threats. Organizations relying on OSINT for threat detection may benefit from integrating these IOCs into their monitoring systems to enhance early warning capabilities. The medium severity suggests that while immediate disruption or data compromise is unlikely, there is a moderate risk of network intrusion or malware infection if these IOCs correspond to emerging threats. European entities with critical infrastructure or sensitive data should remain vigilant, as payload delivery mechanisms can lead to ransomware, data exfiltration, or system compromise if exploited.

Mitigation Recommendations

Given the limited technical details, European organizations should focus on proactive threat intelligence integration and network hygiene. Specific recommendations include: 1) Incorporate the latest ThreatFox IOCs into SIEM and endpoint detection and response (EDR) platforms to improve detection of related malware activities. 2) Conduct regular network traffic analysis to identify anomalous payload delivery attempts, especially those matching known IOC patterns once available. 3) Enhance employee awareness training on phishing and social engineering, as payload delivery often leverages these vectors. 4) Maintain up-to-date backups and incident response plans to mitigate potential impacts of malware infections. 5) Collaborate with national cybersecurity centers and information sharing groups to receive timely updates on emerging threats linked to these IOCs. 6) Since no patches are available, focus on network segmentation and least privilege principles to limit lateral movement if compromise occurs.

Affected Countries

GermanyGermany
FranceFrance
United KingdomUnited Kingdom
NetherlandsNetherlands
ItalyItaly
SpainSpain
PolandPoland
Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
1
Distribution
3
Uuid
fd6d6276-0d5f-4b2b-94e7-5681eaa31989
Original Timestamp
1694217785

Indicators of Compromise

File

ValueDescriptionCopy
file20.0.54.48
RedLine Stealer botnet C2 server (confidence level: 100%)
file23.108.57.87
RedLine Stealer botnet C2 server (confidence level: 100%)
file179.60.147.4
Meterpreter botnet C2 server (confidence level: 100%)
file194.147.140.232
Remcos botnet C2 server (confidence level: 100%)
file3.214.57.4
Unknown malware botnet C2 server (confidence level: 50%)
file208.123.119.100
BianLian botnet C2 server (confidence level: 50%)
file66.135.16.39
Havoc botnet C2 server (confidence level: 50%)
file80.85.152.108
Havoc botnet C2 server (confidence level: 50%)
file159.223.205.33
Havoc botnet C2 server (confidence level: 50%)
file89.96.196.150
Responder botnet C2 server (confidence level: 50%)
file3.216.91.201
Responder botnet C2 server (confidence level: 50%)
file13.90.242.103
Responder botnet C2 server (confidence level: 50%)
file165.154.221.149
Responder botnet C2 server (confidence level: 50%)
file188.165.185.107
Responder botnet C2 server (confidence level: 50%)
file223.26.57.45
DCRat botnet C2 server (confidence level: 50%)
file180.12.159.131
DCRat botnet C2 server (confidence level: 50%)
file150.107.2.176
DCRat botnet C2 server (confidence level: 50%)
file42.194.178.221
Unknown malware botnet C2 server (confidence level: 50%)
file38.47.238.225
Cobalt Strike botnet C2 server (confidence level: 100%)
file217.145.238.175
WhiteSnake Stealer botnet C2 server (confidence level: 100%)
file78.46.66.9
WhiteSnake Stealer botnet C2 server (confidence level: 100%)
file5.42.65.62
RedLine Stealer botnet C2 server (confidence level: 100%)
file95.214.25.236
AsyncRAT botnet C2 server (confidence level: 75%)
file179.13.3.111
Remcos payload delivery server (confidence level: 75%)
file185.252.179.66
AsyncRAT botnet C2 server (confidence level: 75%)
file162.33.179.240
IcedID botnet C2 server (confidence level: 75%)
file45.61.138.12
IcedID botnet C2 server (confidence level: 75%)
file193.31.28.123
Meterpreter botnet C2 server (confidence level: 100%)
file41.216.188.29
Ave Maria botnet C2 server (confidence level: 100%)
file41.68.165.218
NjRAT botnet C2 server (confidence level: 100%)
file3.125.188.168
NjRAT botnet C2 server (confidence level: 100%)
file35.157.111.131
NjRAT botnet C2 server (confidence level: 100%)
file3.68.56.232
NjRAT botnet C2 server (confidence level: 100%)
file91.103.252.180
RedLine Stealer botnet C2 server (confidence level: 100%)
file91.149.232.174
IcedID botnet C2 server (confidence level: 75%)
file193.149.176.133
IcedID botnet C2 server (confidence level: 75%)
file87.237.54.28
RedLine Stealer botnet C2 server (confidence level: 100%)
file93.123.118.3
Ave Maria botnet C2 server (confidence level: 100%)
file89.23.98.29
RedLine Stealer botnet C2 server (confidence level: 100%)

Hash

ValueDescriptionCopy
hash5810
RedLine Stealer botnet C2 server (confidence level: 100%)
hash11955
RedLine Stealer botnet C2 server (confidence level: 100%)
hash58731
Meterpreter botnet C2 server (confidence level: 100%)
hash6609
Remcos botnet C2 server (confidence level: 100%)
hash7443
Unknown malware botnet C2 server (confidence level: 50%)
hash6613
BianLian botnet C2 server (confidence level: 50%)
hash443
Havoc botnet C2 server (confidence level: 50%)
hash443
Havoc botnet C2 server (confidence level: 50%)
hash80
Havoc botnet C2 server (confidence level: 50%)
hash445
Responder botnet C2 server (confidence level: 50%)
hash443
Responder botnet C2 server (confidence level: 50%)
hash80
Responder botnet C2 server (confidence level: 50%)
hash445
Responder botnet C2 server (confidence level: 50%)
hash445
Responder botnet C2 server (confidence level: 50%)
hash8848
DCRat botnet C2 server (confidence level: 50%)
hash64432
DCRat botnet C2 server (confidence level: 50%)
hash8848
DCRat botnet C2 server (confidence level: 50%)
hash8888
Unknown malware botnet C2 server (confidence level: 50%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
WhiteSnake Stealer botnet C2 server (confidence level: 100%)
hash8080
WhiteSnake Stealer botnet C2 server (confidence level: 100%)
hash46961
RedLine Stealer botnet C2 server (confidence level: 100%)
hash4404
AsyncRAT botnet C2 server (confidence level: 75%)
hashd27224eb9e5c34abfb22ba1941f3c4c4fbcfb5702899f8cf4fe280f4aa881d44
Remcos payload (confidence level: 75%)
hash5a21b731fa6efbd890bcec79dc8ee32d38d78ff56ba4570b7edeef947b335484
Remcos payload (confidence level: 75%)
hash77e02a67b7335161ae2abc3cd2a71540b75c78ab564cb3d993ae1e6dbcbeb615
Remcos payload (confidence level: 75%)
hash2449
Remcos payload delivery server (confidence level: 75%)
hash6906
AsyncRAT botnet C2 server (confidence level: 75%)
hash433
IcedID botnet C2 server (confidence level: 75%)
hash443
IcedID botnet C2 server (confidence level: 75%)
hash4444
Meterpreter botnet C2 server (confidence level: 100%)
hash5200
Ave Maria botnet C2 server (confidence level: 100%)
hash1177
NjRAT botnet C2 server (confidence level: 100%)
hash12866
NjRAT botnet C2 server (confidence level: 100%)
hash12866
NjRAT botnet C2 server (confidence level: 100%)
hash12866
NjRAT botnet C2 server (confidence level: 100%)
hash16711
RedLine Stealer botnet C2 server (confidence level: 100%)
hash80
IcedID botnet C2 server (confidence level: 75%)
hash80
IcedID botnet C2 server (confidence level: 75%)
hash18186
RedLine Stealer botnet C2 server (confidence level: 100%)
hash46308
Ave Maria botnet C2 server (confidence level: 100%)
hash41686
RedLine Stealer botnet C2 server (confidence level: 100%)

Domain

ValueDescriptionCopy
domainsept7ama.tuktuk.ug
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainkevinbrawiewu.com
IcedID botnet C2 domain (confidence level: 100%)
domainclainsrimauto.com
IcedID botnet C2 domain (confidence level: 100%)
domainkaheshanpa.com
IcedID botnet C2 domain (confidence level: 100%)
domain04septgo.tuktuk.ug
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainekb.tuktuk.ug
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainfk29.tuktuk.ug
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainmsk.tuktuk.ug
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainsept4em.tuktuk.ug
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainsept5ama.tuktuk.ug
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainsept7amd.tuktuk.ug
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainbitsvertise.com
Unknown malware payload delivery domain (confidence level: 100%)
domainblgbeach.com
Unknown malware payload delivery domain (confidence level: 100%)
domaindbgsymbol.com
Unknown malware payload delivery domain (confidence level: 100%)
domainecordillos.com
Unknown malware payload delivery domain (confidence level: 100%)
domainismartrium.com
Unknown malware payload delivery domain (confidence level: 100%)
domainrapisigns.com
Unknown malware payload delivery domain (confidence level: 100%)
domainagostodosgad.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainbdios8877.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domaincocomelon27.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domaindia16mayoje.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domaindiosestaconmiugo.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domaineduardoestevex.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainenagostoestb.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainenvio7sep2023.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainesteesasyn.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainesteesmider.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainestemesesdedios.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainestwrmessol.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainlostermas.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainmairoester.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainmarquesosa3.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainparahotmejor.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainparajulioped.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainparaprobares.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainquasintiner.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainrenvosdtutu.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainservernjnuevo.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainsientosmilter.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainsomosdecall.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domaintodoparadios.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainvamosaverc.duckdns.org
Remcos botnet C2 domain (confidence level: 100%)
domainamadapi.tuktuk.ug
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainstracer.top
RedLine Stealer botnet C2 domain (confidence level: 100%)
domaintaybo.top
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainkik.taybo.top
RedLine Stealer botnet C2 domain (confidence level: 100%)
domainsrk.stracer.top
RedLine Stealer botnet C2 domain (confidence level: 100%)
domaincdn-new-dwnl.site
FAKEUPDATES payload delivery domain (confidence level: 100%)
domainstats-best.site
FAKEUPDATES payload delivery domain (confidence level: 100%)
domainpklkknj89bygvczvi.com
FAKEUPDATES payload delivery domain (confidence level: 100%)
domainngvcfrttgyu512vgv.net
FAKEUPDATES payload delivery domain (confidence level: 100%)
domain3v1n35i5kwx.life
BumbleBee botnet C2 domain (confidence level: 100%)
domainnewdnq1xnl9.life
BumbleBee botnet C2 domain (confidence level: 100%)
domainitszko2ot5u.life
BumbleBee botnet C2 domain (confidence level: 100%)
domaincmid1s1zeiu.life
BumbleBee botnet C2 domain (confidence level: 100%)

Url

ValueDescriptionCopy
urlhttps://heartwoodproperties.com/blog.php
GootLoader payload delivery URL (confidence level: 100%)
urlhttps://heldenfutter.de/blog.php
GootLoader payload delivery URL (confidence level: 100%)
urlhttps://gutesherz.or/go.php
GootLoader payload delivery URL (confidence level: 100%)
urlhttps://38.47.238.225/jquery-3.3.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://paste.ee/d/jepak/0
Remcos payload delivery URL (confidence level: 75%)
urlhttps://pastebin.com/raw/sfgsbg3v
Remcos payload delivery URL (confidence level: 75%)
urlhttps://wtools.io/code/dl/bplb
Remcos payload delivery URL (confidence level: 75%)
urlhttps://pasteio.com/download/xtnja1wvooam
Remcos payload delivery URL (confidence level: 75%)
urlhttps://oiuytyfvq621mb.org/vvmd54/
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://oiuytyfvq621mb.org/zgbn19mx
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://oiuytyfvq621mb.org/lander/chrome/_index.php
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttp://bagisyapsendehadi.xyz/
Alien botnet C2 (confidence level: 80%)
urlhttp://berkatamankimsedurduramaz.ml/
Alien botnet C2 (confidence level: 80%)
urlhttp://yenilimit.xyz
Alien botnet C2 (confidence level: 80%)
urlhttp://status.klopware.space/_defaultwindows.php
DCRat botnet C2 (confidence level: 100%)
urlhttps://pklkknj89bygvczvi.com/vvmd54/
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://ngvcfrttgyu512vgv.net/zgbn19mx
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://ngvcfrttgyu512vgv.net/lander/chrome/_index.php
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttp://a0859540.xsph.ru/l1nc0in.php
DCRat botnet C2 (confidence level: 100%)

Threat ID: 68359c9d5d5f0974d01f3450

Added to database: 5/27/2025, 11:06:05 AM

Last enriched: 7/5/2025, 11:10:59 PM

Last updated: 7/30/2025, 2:18:08 AM

Views: 13

Related Threats

'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan

Medium
MalwareFri Aug 15 2025

Kawabunga, Dude, You've Been Ransomed!

Medium
MalwareFri Aug 15 2025

ERMAC V3.0 Banking Trojan: Full Source Code Leak and Infrastructure Analysis

Medium
MalwareFri Aug 15 2025

Threat Bulletin: Fire in the Woods – A New Variant of FireWood

Medium
MalwareFri Aug 15 2025

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

Medium
MalwareFri Aug 15 2025

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats