Skip to main content

ThreatFox IOCs for 2023-09-28

Medium
Published: Thu Sep 28 2023 (09/28/2023, 00:00:00 UTC)
Source: ThreatFox
Vendor/Project: type
Product: osint

Description

ThreatFox IOCs for 2023-09-28

AI-Powered Analysis

AILast updated: 06/18/2025, 07:35:38 UTC

Technical Analysis

The provided threat information pertains to a malware-related intelligence report titled "ThreatFox IOCs for 2023-09-28," sourced from ThreatFox, a platform specializing in sharing Indicators of Compromise (IOCs) and threat intelligence data. The report is categorized under 'osint' (open-source intelligence) and is tagged with 'type:osint' and 'tlp:white,' indicating that the information is publicly shareable without restrictions. No specific affected software versions, CWE identifiers, or patch links are provided, and there are no known exploits actively observed in the wild related to this threat. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination or visibility within threat intelligence communities. The absence of concrete IOCs, affected products, or detailed malware behavior limits the ability to perform a deep technical dissection. However, the classification as malware and its presence in ThreatFox implies that this threat involves malicious software potentially used for cyber intrusion or data compromise. Given the lack of exploit activity and detailed technical data, this appears to be an emerging or low-visibility threat currently under observation rather than an active widespread campaign.

Potential Impact

For European organizations, the potential impact of this threat is currently limited due to the absence of known active exploits and detailed technical indicators. However, malware threats disseminated through open-source intelligence channels can evolve rapidly, potentially leading to unauthorized access, data exfiltration, or disruption of services if weaponized. European entities with high reliance on digital infrastructure, particularly those in critical sectors such as finance, energy, and government, could face risks if this malware is later linked to targeted attacks or supply chain compromises. The medium severity rating suggests a moderate risk level, implying that while immediate impact is low, vigilance is necessary. The lack of specific affected products or versions means that the threat could be generic or broad in scope, potentially impacting multiple platforms or environments if exploited. Organizations should consider this threat as a potential indicator of emerging malware campaigns that may leverage OSINT for distribution or targeting.

Mitigation Recommendations

Given the limited technical details and absence of active exploits, mitigation should focus on proactive threat hunting and strengthening general malware defenses. European organizations should: 1) Integrate ThreatFox and similar OSINT feeds into their security information and event management (SIEM) systems to enhance detection capabilities for emerging IOCs once they become available. 2) Conduct regular endpoint and network scans for anomalous behavior or unknown binaries that could be associated with new malware variants. 3) Maintain up-to-date antivirus and endpoint detection and response (EDR) solutions with heuristic and behavioral analysis capabilities to detect unknown threats. 4) Implement strict network segmentation and least privilege access controls to limit potential lateral movement if infection occurs. 5) Train security teams to monitor threat intelligence platforms for updates related to this malware to enable rapid response. 6) Employ sandboxing and malware analysis environments to safely analyze any suspicious files or behaviors linked to this threat as new data emerges. These measures go beyond generic advice by emphasizing integration of OSINT feeds, proactive hunting, and adaptive analysis aligned with the evolving nature of this threat.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
1
Distribution
3
Uuid
f72f56bd-0d16-45a2-b92b-afd7bf6aca0f
Original Timestamp
1695945786

Indicators of Compromise

File

ValueDescriptionCopy
file94.228.169.135
RedLine Stealer botnet C2 server (confidence level: 100%)
file139.129.22.253
Cobalt Strike botnet C2 server (confidence level: 80%)
file35.78.197.97
Cobalt Strike botnet C2 server (confidence level: 80%)
file220.69.33.51
Get2 botnet C2 server (confidence level: 80%)
file81.19.131.36
Remcos botnet C2 server (confidence level: 75%)
file95.141.41.12
Amadey botnet C2 server (confidence level: 50%)
file152.89.198.175
Cobalt Strike botnet C2 server (confidence level: 80%)
file209.42.194.94
Sliver botnet C2 server (confidence level: 80%)
file51.89.205.213
RisePro botnet C2 server (confidence level: 100%)
file51.89.205.213
RisePro botnet C2 server (confidence level: 100%)
file94.180.116.124
Meterpreter botnet C2 server (confidence level: 80%)
file94.131.98.34
Unknown malware botnet C2 server (confidence level: 50%)
file192.241.152.108
Unknown malware botnet C2 server (confidence level: 50%)
file193.134.210.75
Unknown malware botnet C2 server (confidence level: 50%)
file195.201.252.32
Vidar botnet C2 server (confidence level: 100%)
file45.81.39.182
zgRAT botnet C2 server (confidence level: 100%)
file45.61.136.107
Havoc botnet C2 server (confidence level: 50%)
file8.217.13.6
Havoc botnet C2 server (confidence level: 50%)
file3.250.85.71
Responder botnet C2 server (confidence level: 50%)
file154.202.59.98
pupy botnet C2 server (confidence level: 50%)
file20.199.18.38
DCRat botnet C2 server (confidence level: 50%)
file202.146.218.35
DCRat botnet C2 server (confidence level: 50%)
file43.143.166.173
Unknown malware botnet C2 server (confidence level: 50%)
file139.199.212.224
Unknown malware botnet C2 server (confidence level: 50%)
file121.40.160.128
Unknown malware botnet C2 server (confidence level: 50%)
file45.87.155.88
BianLian botnet C2 server (confidence level: 80%)
file8.142.92.17
Unknown malware botnet C2 server (confidence level: 80%)
file3.140.239.216
Cobalt Strike botnet C2 server (confidence level: 80%)
file124.70.99.70
Cobalt Strike botnet C2 server (confidence level: 80%)
file51.158.102.199
Unknown malware botnet C2 server (confidence level: 80%)
file103.151.5.52
Meterpreter botnet C2 server (confidence level: 80%)
file20.250.1.110
Cobalt Strike botnet C2 server (confidence level: 100%)
file81.161.229.224
Vjw0rm botnet C2 server (confidence level: 100%)
file13.208.185.148
Cobalt Strike botnet C2 server (confidence level: 80%)
file52.197.114.159
Sliver botnet C2 server (confidence level: 80%)
file109.248.206.49
FAKEUPDATES payload delivery server (confidence level: 100%)
file202.211.4.65
Get2 botnet C2 server (confidence level: 80%)
file172.86.75.88
IcedID botnet C2 server (confidence level: 100%)
file81.161.229.158
Remcos botnet C2 server (confidence level: 100%)
file192.254.69.35
Pikabot botnet C2 server (confidence level: 100%)
file104.243.45.170
Pikabot botnet C2 server (confidence level: 100%)
file217.170.204.197
Pikabot botnet C2 server (confidence level: 100%)
file163.197.217.136
Cobalt Strike botnet C2 server (confidence level: 80%)
file43.140.199.163
Cobalt Strike botnet C2 server (confidence level: 80%)
file43.154.14.120
Cobalt Strike botnet C2 server (confidence level: 80%)
file54.146.175.95
Sliver botnet C2 server (confidence level: 80%)
file195.201.235.164
Sliver botnet C2 server (confidence level: 80%)
file52.56.68.28
Sliver botnet C2 server (confidence level: 80%)
file5.75.185.92
Sliver botnet C2 server (confidence level: 80%)
file54.227.170.33
Sliver botnet C2 server (confidence level: 80%)
file54.160.56.128
Sliver botnet C2 server (confidence level: 80%)
file64.227.179.34
Meterpreter botnet C2 server (confidence level: 80%)
file143.198.241.192
Cobalt Strike botnet C2 server (confidence level: 100%)
file45.227.252.244
Cobalt Strike botnet C2 server (confidence level: 100%)
file138.68.129.245
Cobalt Strike botnet C2 server (confidence level: 80%)
file94.142.138.43
RisePro botnet C2 server (confidence level: 100%)
file94.142.138.43
RisePro botnet C2 server (confidence level: 100%)
file91.103.252.210
Unknown malware botnet C2 server (confidence level: 80%)
file109.248.206.118
FAKEUPDATES payload delivery server (confidence level: 100%)
file185.213.167.163
IcedID botnet C2 server (confidence level: 60%)
file112.29.180.20
Deimos botnet C2 server (confidence level: 50%)
file112.29.177.19
Deimos botnet C2 server (confidence level: 50%)
file112.29.177.20
Deimos botnet C2 server (confidence level: 50%)
file89.203.129.78
BianLian botnet C2 server (confidence level: 50%)
file159.203.124.88
pupy botnet C2 server (confidence level: 50%)
file121.91.168.253
Unknown malware botnet C2 server (confidence level: 50%)
file139.9.117.78
Unknown malware botnet C2 server (confidence level: 50%)
file147.185.221.16
NjRAT botnet C2 server (confidence level: 100%)
file209.250.245.144
Cobalt Strike botnet C2 server (confidence level: 100%)

Hash

ValueDescriptionCopy
hash8086
RedLine Stealer botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 80%)
hash80
Cobalt Strike botnet C2 server (confidence level: 80%)
hash443
Get2 botnet C2 server (confidence level: 80%)
hash2450
Remcos botnet C2 server (confidence level: 75%)
hash80
Amadey botnet C2 server (confidence level: 50%)
hash8443
Cobalt Strike botnet C2 server (confidence level: 80%)
hash8081
Sliver botnet C2 server (confidence level: 80%)
hash8081
RisePro botnet C2 server (confidence level: 100%)
hash50500
RisePro botnet C2 server (confidence level: 100%)
hash3790
Meterpreter botnet C2 server (confidence level: 80%)
hash7443
Unknown malware botnet C2 server (confidence level: 50%)
hash7443
Unknown malware botnet C2 server (confidence level: 50%)
hash7443
Unknown malware botnet C2 server (confidence level: 50%)
hash80
Vidar botnet C2 server (confidence level: 100%)
hash39001
zgRAT botnet C2 server (confidence level: 100%)
hash443
Havoc botnet C2 server (confidence level: 50%)
hash80
Havoc botnet C2 server (confidence level: 50%)
hash445
Responder botnet C2 server (confidence level: 50%)
hash443
pupy botnet C2 server (confidence level: 50%)
hash1024
DCRat botnet C2 server (confidence level: 50%)
hash8848
DCRat botnet C2 server (confidence level: 50%)
hash8888
Unknown malware botnet C2 server (confidence level: 50%)
hash8888
Unknown malware botnet C2 server (confidence level: 50%)
hash9999
Unknown malware botnet C2 server (confidence level: 50%)
hash443
BianLian botnet C2 server (confidence level: 80%)
hash8888
Unknown malware botnet C2 server (confidence level: 80%)
hash30003
Cobalt Strike botnet C2 server (confidence level: 80%)
hash4443
Cobalt Strike botnet C2 server (confidence level: 80%)
hash7443
Unknown malware botnet C2 server (confidence level: 80%)
hash3790
Meterpreter botnet C2 server (confidence level: 80%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash3609
Vjw0rm botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 80%)
hash2376
Sliver botnet C2 server (confidence level: 80%)
hash443
FAKEUPDATES payload delivery server (confidence level: 100%)
hash443
Get2 botnet C2 server (confidence level: 80%)
hash443
IcedID botnet C2 server (confidence level: 100%)
hash2404
Remcos botnet C2 server (confidence level: 100%)
hash2078
Pikabot botnet C2 server (confidence level: 100%)
hash2222
Pikabot botnet C2 server (confidence level: 100%)
hash32999
Pikabot botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 80%)
hash8090
Cobalt Strike botnet C2 server (confidence level: 80%)
hash80
Cobalt Strike botnet C2 server (confidence level: 80%)
hash8083
Sliver botnet C2 server (confidence level: 80%)
hash443
Sliver botnet C2 server (confidence level: 80%)
hash443
Sliver botnet C2 server (confidence level: 80%)
hash2376
Sliver botnet C2 server (confidence level: 80%)
hash443
Sliver botnet C2 server (confidence level: 80%)
hash2376
Sliver botnet C2 server (confidence level: 80%)
hash3790
Meterpreter botnet C2 server (confidence level: 80%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 80%)
hash8081
RisePro botnet C2 server (confidence level: 100%)
hash50500
RisePro botnet C2 server (confidence level: 100%)
hash3000
Unknown malware botnet C2 server (confidence level: 80%)
hash443
FAKEUPDATES payload delivery server (confidence level: 100%)
hash443
IcedID botnet C2 server (confidence level: 60%)
hash10036
Deimos botnet C2 server (confidence level: 50%)
hash10036
Deimos botnet C2 server (confidence level: 50%)
hash10036
Deimos botnet C2 server (confidence level: 50%)
hash443
BianLian botnet C2 server (confidence level: 50%)
hash1233
pupy botnet C2 server (confidence level: 50%)
hash8888
Unknown malware botnet C2 server (confidence level: 50%)
hash8888
Unknown malware botnet C2 server (confidence level: 50%)
hash47426
NjRAT botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)

Url

ValueDescriptionCopy
urlhttp://208.91.189.189/8882f656e94df309.php
Stealc botnet C2 (confidence level: 100%)
urlhttp://193.201.8.110/bded386f853bed13.php
Stealc botnet C2 (confidence level: 100%)
urlhttp://45.77.76.224/~clinics/uhjax1txlodzacvar
Loki Password Stealer (PWS) botnet C2 (confidence level: 100%)
urlhttp://95.141.41.12/n9kd3x/index.php
Amadey botnet C2 (confidence level: 100%)
urlhttp://51.89.205.213:8081/login
RisePro botnet C2 (confidence level: 100%)
urlhttp://milkwithlacto.fun/c2conf
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttp://168.119.168.251:10088/data.zip
Vidar botnet C2 (confidence level: 100%)
urlhttp://168.119.168.251:10088/
Vidar botnet C2 (confidence level: 100%)
urlhttp://195.201.252.32/
Vidar botnet C2 (confidence level: 100%)
urlhttp://magaway.fun/
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttp://rosaryconbo.fun/
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttp://85.209.11.107/g.pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://cdnoss.sec.cm/common/view/aid
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://powellfamilydentist.com:8080/av.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://104.168.68.35:39001/pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://135.125.201.221/load
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://135.125.201.221/__utm.gif
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://154.221.17.44:2080/fwlink
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://20.250.1.110/contact/bsd/m9bdbrytm
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://98ygdjhdvuhj.com/vvmd54/
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://98ygdjhdvuhj.com/zgbn19mx
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://98ygdjhdvuhj.com/lander/chrome_1695206714/_index.php
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttp://45.77.76.224/~clinics/sobdspisj8vqe
Loki Password Stealer (PWS) botnet C2 (confidence level: 100%)
urlhttps://xavfgrtgrg.com/preserve/picture/ijnhfxu2x53
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://94.142.138.43:8081/login
RisePro botnet C2 (confidence level: 100%)
urlhttps://ojhggnfbcy62.com/vvmd54/
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttp://rollbeamone.fun/
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttp://213.252.244.62
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttp://157.90.248.179
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://ojhggnfbcy62.com/zgbn19mx
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://ojhggnfbcy62.com/lander/chrome_1695206714/_index.php
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://209.250.245.144/jquery-3.3.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)

Domain

ValueDescriptionCopy
domaincnc.n1gger.ru
zgRAT botnet C2 domain (confidence level: 100%)
domaincdn.n1gger.ru
zgRAT botnet C2 domain (confidence level: 100%)
domainnotdns1.noreply-alert.cloud
Cobalt Strike botnet C2 domain (confidence level: 100%)
domain98ygdjhdvuhj.com
FAKEUPDATES payload delivery domain (confidence level: 100%)
domainxavfgrtgrg.com
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainawindakizend.com
IcedID botnet C2 domain (confidence level: 100%)
domain2flowers-my.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainblockall-my.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainblockspam-my.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainbondappeal.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainboxclod.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaincatfoodbio.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainchocomeat.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaincloudsnike-my.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaincoinflore-my.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaincoolworkss.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaincosmosvr3d.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainculturalevenings.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaindeeppoetry.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaindiavellipromo-my.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaindogshanter.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaindownloaddedattre.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaindownloadfiles-my.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaindromautocar.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaindropfiles-my.xyz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainducklingibises.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainglaziercarde.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainhousegrommy.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainjumperstad.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainlackbasinmu.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainpearlbarleyhit.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainpoliticuseles.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainportlandcor.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainpotatomeatball.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainpregnantflowers.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainrarefood.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainrosaryconbo.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainroyalpantss.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainsatanakop.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainsausagerollraisin.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainscruffymapleflat.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainsendcyniaforeign.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainsocialmadness.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainsodafountainpr.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainstartablekor.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainsuperyupp.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaintalkinwhitepod.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaintuberoseprod.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainvalleydod.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainveinsmoter.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainwaterparkedone.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainwithdrawlecterns.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainwolffunny.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainyachtracingopt.fun
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainojhggnfbcy62.com
FAKEUPDATES payload delivery domain (confidence level: 100%)

Threat ID: 682acdc4bbaf20d303f26c4d

Added to database: 5/19/2025, 6:20:52 AM

Last enriched: 6/18/2025, 7:35:38 AM

Last updated: 8/18/2025, 1:13:34 PM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats