ThreatFox IOCs for 2023-09-28
ThreatFox IOCs for 2023-09-28
AI Analysis
Technical Summary
The provided threat information pertains to a malware-related intelligence report titled "ThreatFox IOCs for 2023-09-28," sourced from ThreatFox, a platform specializing in sharing Indicators of Compromise (IOCs) and threat intelligence data. The report is categorized under 'osint' (open-source intelligence) and is tagged with 'type:osint' and 'tlp:white,' indicating that the information is publicly shareable without restrictions. No specific affected software versions, CWE identifiers, or patch links are provided, and there are no known exploits actively observed in the wild related to this threat. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination or visibility within threat intelligence communities. The absence of concrete IOCs, affected products, or detailed malware behavior limits the ability to perform a deep technical dissection. However, the classification as malware and its presence in ThreatFox implies that this threat involves malicious software potentially used for cyber intrusion or data compromise. Given the lack of exploit activity and detailed technical data, this appears to be an emerging or low-visibility threat currently under observation rather than an active widespread campaign.
Potential Impact
For European organizations, the potential impact of this threat is currently limited due to the absence of known active exploits and detailed technical indicators. However, malware threats disseminated through open-source intelligence channels can evolve rapidly, potentially leading to unauthorized access, data exfiltration, or disruption of services if weaponized. European entities with high reliance on digital infrastructure, particularly those in critical sectors such as finance, energy, and government, could face risks if this malware is later linked to targeted attacks or supply chain compromises. The medium severity rating suggests a moderate risk level, implying that while immediate impact is low, vigilance is necessary. The lack of specific affected products or versions means that the threat could be generic or broad in scope, potentially impacting multiple platforms or environments if exploited. Organizations should consider this threat as a potential indicator of emerging malware campaigns that may leverage OSINT for distribution or targeting.
Mitigation Recommendations
Given the limited technical details and absence of active exploits, mitigation should focus on proactive threat hunting and strengthening general malware defenses. European organizations should: 1) Integrate ThreatFox and similar OSINT feeds into their security information and event management (SIEM) systems to enhance detection capabilities for emerging IOCs once they become available. 2) Conduct regular endpoint and network scans for anomalous behavior or unknown binaries that could be associated with new malware variants. 3) Maintain up-to-date antivirus and endpoint detection and response (EDR) solutions with heuristic and behavioral analysis capabilities to detect unknown threats. 4) Implement strict network segmentation and least privilege access controls to limit potential lateral movement if infection occurs. 5) Train security teams to monitor threat intelligence platforms for updates related to this malware to enable rapid response. 6) Employ sandboxing and malware analysis environments to safely analyze any suspicious files or behaviors linked to this threat as new data emerges. These measures go beyond generic advice by emphasizing integration of OSINT feeds, proactive hunting, and adaptive analysis aligned with the evolving nature of this threat.
Affected Countries
Germany, France, United Kingdom, Italy, Netherlands
Indicators of Compromise
- file: 94.228.169.135
- hash: 8086
- url: http://208.91.189.189/8882f656e94df309.php
- url: http://193.201.8.110/bded386f853bed13.php
- url: http://45.77.76.224/~clinics/uhjax1txlodzacvar
- file: 139.129.22.253
- hash: 443
- url: http://95.141.41.12/n9kd3x/index.php
- file: 35.78.197.97
- hash: 80
- file: 220.69.33.51
- hash: 443
- file: 81.19.131.36
- hash: 2450
- file: 95.141.41.12
- hash: 80
- file: 152.89.198.175
- hash: 8443
- file: 209.42.194.94
- hash: 8081
- url: http://51.89.205.213:8081/login
- file: 51.89.205.213
- hash: 8081
- file: 51.89.205.213
- hash: 50500
- file: 94.180.116.124
- hash: 3790
- url: http://milkwithlacto.fun/c2conf
- url: http://168.119.168.251:10088/data.zip
- url: http://168.119.168.251:10088/
- file: 94.131.98.34
- hash: 7443
- file: 192.241.152.108
- hash: 7443
- file: 193.134.210.75
- hash: 7443
- file: 195.201.252.32
- hash: 80
- url: http://195.201.252.32/
- file: 45.81.39.182
- hash: 39001
- file: 45.61.136.107
- hash: 443
- domain: cnc.n1gger.ru
- domain: cdn.n1gger.ru
- file: 8.217.13.6
- hash: 80
- file: 3.250.85.71
- hash: 445
- file: 154.202.59.98
- hash: 443
- file: 20.199.18.38
- hash: 1024
- file: 202.146.218.35
- hash: 8848
- file: 43.143.166.173
- hash: 8888
- file: 139.199.212.224
- hash: 8888
- file: 121.40.160.128
- hash: 9999
- url: http://magaway.fun/
- url: http://rosaryconbo.fun/
- file: 45.87.155.88
- hash: 443
- file: 8.142.92.17
- hash: 8888
- url: http://85.209.11.107/g.pixel
- url: https://cdnoss.sec.cm/common/view/aid
- file: 3.140.239.216
- hash: 30003
- file: 124.70.99.70
- hash: 4443
- file: 51.158.102.199
- hash: 7443
- file: 103.151.5.52
- hash: 3790
- domain: notdns1.noreply-alert.cloud
- url: http://powellfamilydentist.com:8080/av.js
- url: http://104.168.68.35:39001/pixel
- url: https://135.125.201.221/load
- url: http://135.125.201.221/__utm.gif
- url: https://154.221.17.44:2080/fwlink
- url: https://20.250.1.110/contact/bsd/m9bdbrytm
- file: 20.250.1.110
- hash: 443
- file: 81.161.229.224
- hash: 3609
- file: 13.208.185.148
- hash: 80
- file: 52.197.114.159
- hash: 2376
- url: https://98ygdjhdvuhj.com/vvmd54/
- url: https://98ygdjhdvuhj.com/zgbn19mx
- url: https://98ygdjhdvuhj.com/lander/chrome_1695206714/_index.php
- url: http://45.77.76.224/~clinics/sobdspisj8vqe
- file: 109.248.206.49
- hash: 443
- file: 202.211.4.65
- hash: 443
- file: 172.86.75.88
- hash: 443
- domain: 98ygdjhdvuhj.com
- file: 81.161.229.158
- hash: 2404
- file: 192.254.69.35
- hash: 2078
- file: 104.243.45.170
- hash: 2222
- file: 217.170.204.197
- hash: 32999
- file: 163.197.217.136
- hash: 80
- file: 43.140.199.163
- hash: 8090
- file: 43.154.14.120
- hash: 80
- file: 54.146.175.95
- hash: 8083
- file: 195.201.235.164
- hash: 443
- file: 52.56.68.28
- hash: 443
- file: 5.75.185.92
- hash: 2376
- file: 54.227.170.33
- hash: 443
- file: 54.160.56.128
- hash: 2376
- file: 64.227.179.34
- hash: 3790
- file: 143.198.241.192
- hash: 443
- url: https://xavfgrtgrg.com/preserve/picture/ijnhfxu2x53
- domain: xavfgrtgrg.com
- file: 45.227.252.244
- hash: 443
- file: 138.68.129.245
- hash: 443
- url: http://94.142.138.43:8081/login
- file: 94.142.138.43
- hash: 8081
- file: 94.142.138.43
- hash: 50500
- domain: awindakizend.com
- domain: 2flowers-my.xyz
- domain: blockall-my.xyz
- domain: blockspam-my.xyz
- domain: bondappeal.xyz
- domain: boxclod.xyz
- domain: catfoodbio.xyz
- domain: chocomeat.fun
- domain: cloudsnike-my.xyz
- domain: coinflore-my.xyz
- domain: coolworkss.xyz
- domain: cosmosvr3d.xyz
- domain: culturalevenings.xyz
- domain: deeppoetry.xyz
- domain: diavellipromo-my.xyz
- domain: dogshanter.xyz
- domain: downloaddedattre.fun
- domain: downloadfiles-my.xyz
- domain: dromautocar.xyz
- domain: dropfiles-my.xyz
- domain: ducklingibises.fun
- domain: glaziercarde.fun
- domain: housegrommy.fun
- domain: jumperstad.fun
- domain: lackbasinmu.fun
- domain: pearlbarleyhit.fun
- domain: politicuseles.fun
- domain: portlandcor.fun
- domain: potatomeatball.fun
- domain: pregnantflowers.fun
- domain: rarefood.fun
- domain: rosaryconbo.fun
- domain: royalpantss.fun
- domain: satanakop.fun
- domain: sausagerollraisin.fun
- domain: scruffymapleflat.fun
- domain: sendcyniaforeign.fun
- domain: socialmadness.fun
- domain: sodafountainpr.fun
- domain: startablekor.fun
- domain: superyupp.fun
- domain: talkinwhitepod.fun
- domain: tuberoseprod.fun
- domain: valleydod.fun
- domain: veinsmoter.fun
- domain: waterparkedone.fun
- domain: withdrawlecterns.fun
- domain: wolffunny.fun
- domain: yachtracingopt.fun
- file: 91.103.252.210
- hash: 3000
- url: https://ojhggnfbcy62.com/vvmd54/
- domain: ojhggnfbcy62.com
- file: 109.248.206.118
- hash: 443
- file: 185.213.167.163
- hash: 443
- url: http://rollbeamone.fun/
- url: http://213.252.244.62
- url: http://157.90.248.179
- url: https://ojhggnfbcy62.com/zgbn19mx
- url: https://ojhggnfbcy62.com/lander/chrome_1695206714/_index.php
- file: 112.29.180.20
- hash: 10036
- file: 112.29.177.19
- hash: 10036
- file: 112.29.177.20
- hash: 10036
- file: 89.203.129.78
- hash: 443
- file: 159.203.124.88
- hash: 1233
- file: 121.91.168.253
- hash: 8888
- file: 139.9.117.78
- hash: 8888
- file: 147.185.221.16
- hash: 47426
- url: https://209.250.245.144/jquery-3.3.1.min.js
- file: 209.250.245.144
- hash: 443
ThreatFox IOCs for 2023-09-28
Description
ThreatFox IOCs for 2023-09-28
AI-Powered Analysis
Technical Analysis
The provided threat information pertains to a malware-related intelligence report titled "ThreatFox IOCs for 2023-09-28," sourced from ThreatFox, a platform specializing in sharing Indicators of Compromise (IOCs) and threat intelligence data. The report is categorized under 'osint' (open-source intelligence) and is tagged with 'type:osint' and 'tlp:white,' indicating that the information is publicly shareable without restrictions. No specific affected software versions, CWE identifiers, or patch links are provided, and there are no known exploits actively observed in the wild related to this threat. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination or visibility within threat intelligence communities. The absence of concrete IOCs, affected products, or detailed malware behavior limits the ability to perform a deep technical dissection. However, the classification as malware and its presence in ThreatFox implies that this threat involves malicious software potentially used for cyber intrusion or data compromise. Given the lack of exploit activity and detailed technical data, this appears to be an emerging or low-visibility threat currently under observation rather than an active widespread campaign.
Potential Impact
For European organizations, the potential impact of this threat is currently limited due to the absence of known active exploits and detailed technical indicators. However, malware threats disseminated through open-source intelligence channels can evolve rapidly, potentially leading to unauthorized access, data exfiltration, or disruption of services if weaponized. European entities with high reliance on digital infrastructure, particularly those in critical sectors such as finance, energy, and government, could face risks if this malware is later linked to targeted attacks or supply chain compromises. The medium severity rating suggests a moderate risk level, implying that while immediate impact is low, vigilance is necessary. The lack of specific affected products or versions means that the threat could be generic or broad in scope, potentially impacting multiple platforms or environments if exploited. Organizations should consider this threat as a potential indicator of emerging malware campaigns that may leverage OSINT for distribution or targeting.
Mitigation Recommendations
Given the limited technical details and absence of active exploits, mitigation should focus on proactive threat hunting and strengthening general malware defenses. European organizations should: 1) Integrate ThreatFox and similar OSINT feeds into their security information and event management (SIEM) systems to enhance detection capabilities for emerging IOCs once they become available. 2) Conduct regular endpoint and network scans for anomalous behavior or unknown binaries that could be associated with new malware variants. 3) Maintain up-to-date antivirus and endpoint detection and response (EDR) solutions with heuristic and behavioral analysis capabilities to detect unknown threats. 4) Implement strict network segmentation and least privilege access controls to limit potential lateral movement if infection occurs. 5) Train security teams to monitor threat intelligence platforms for updates related to this malware to enable rapid response. 6) Employ sandboxing and malware analysis environments to safely analyze any suspicious files or behaviors linked to this threat as new data emerges. These measures go beyond generic advice by emphasizing integration of OSINT feeds, proactive hunting, and adaptive analysis aligned with the evolving nature of this threat.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- f72f56bd-0d16-45a2-b92b-afd7bf6aca0f
- Original Timestamp
- 1695945786
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file94.228.169.135 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file139.129.22.253 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file35.78.197.97 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file220.69.33.51 | Get2 botnet C2 server (confidence level: 80%) | |
file81.19.131.36 | Remcos botnet C2 server (confidence level: 75%) | |
file95.141.41.12 | Amadey botnet C2 server (confidence level: 50%) | |
file152.89.198.175 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file209.42.194.94 | Sliver botnet C2 server (confidence level: 80%) | |
file51.89.205.213 | RisePro botnet C2 server (confidence level: 100%) | |
file51.89.205.213 | RisePro botnet C2 server (confidence level: 100%) | |
file94.180.116.124 | Meterpreter botnet C2 server (confidence level: 80%) | |
file94.131.98.34 | Unknown malware botnet C2 server (confidence level: 50%) | |
file192.241.152.108 | Unknown malware botnet C2 server (confidence level: 50%) | |
file193.134.210.75 | Unknown malware botnet C2 server (confidence level: 50%) | |
file195.201.252.32 | Vidar botnet C2 server (confidence level: 100%) | |
file45.81.39.182 | zgRAT botnet C2 server (confidence level: 100%) | |
file45.61.136.107 | Havoc botnet C2 server (confidence level: 50%) | |
file8.217.13.6 | Havoc botnet C2 server (confidence level: 50%) | |
file3.250.85.71 | Responder botnet C2 server (confidence level: 50%) | |
file154.202.59.98 | pupy botnet C2 server (confidence level: 50%) | |
file20.199.18.38 | DCRat botnet C2 server (confidence level: 50%) | |
file202.146.218.35 | DCRat botnet C2 server (confidence level: 50%) | |
file43.143.166.173 | Unknown malware botnet C2 server (confidence level: 50%) | |
file139.199.212.224 | Unknown malware botnet C2 server (confidence level: 50%) | |
file121.40.160.128 | Unknown malware botnet C2 server (confidence level: 50%) | |
file45.87.155.88 | BianLian botnet C2 server (confidence level: 80%) | |
file8.142.92.17 | Unknown malware botnet C2 server (confidence level: 80%) | |
file3.140.239.216 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file124.70.99.70 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file51.158.102.199 | Unknown malware botnet C2 server (confidence level: 80%) | |
file103.151.5.52 | Meterpreter botnet C2 server (confidence level: 80%) | |
file20.250.1.110 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file81.161.229.224 | Vjw0rm botnet C2 server (confidence level: 100%) | |
file13.208.185.148 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file52.197.114.159 | Sliver botnet C2 server (confidence level: 80%) | |
file109.248.206.49 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
file202.211.4.65 | Get2 botnet C2 server (confidence level: 80%) | |
file172.86.75.88 | IcedID botnet C2 server (confidence level: 100%) | |
file81.161.229.158 | Remcos botnet C2 server (confidence level: 100%) | |
file192.254.69.35 | Pikabot botnet C2 server (confidence level: 100%) | |
file104.243.45.170 | Pikabot botnet C2 server (confidence level: 100%) | |
file217.170.204.197 | Pikabot botnet C2 server (confidence level: 100%) | |
file163.197.217.136 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file43.140.199.163 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file43.154.14.120 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file54.146.175.95 | Sliver botnet C2 server (confidence level: 80%) | |
file195.201.235.164 | Sliver botnet C2 server (confidence level: 80%) | |
file52.56.68.28 | Sliver botnet C2 server (confidence level: 80%) | |
file5.75.185.92 | Sliver botnet C2 server (confidence level: 80%) | |
file54.227.170.33 | Sliver botnet C2 server (confidence level: 80%) | |
file54.160.56.128 | Sliver botnet C2 server (confidence level: 80%) | |
file64.227.179.34 | Meterpreter botnet C2 server (confidence level: 80%) | |
file143.198.241.192 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.227.252.244 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file138.68.129.245 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file94.142.138.43 | RisePro botnet C2 server (confidence level: 100%) | |
file94.142.138.43 | RisePro botnet C2 server (confidence level: 100%) | |
file91.103.252.210 | Unknown malware botnet C2 server (confidence level: 80%) | |
file109.248.206.118 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
file185.213.167.163 | IcedID botnet C2 server (confidence level: 60%) | |
file112.29.180.20 | Deimos botnet C2 server (confidence level: 50%) | |
file112.29.177.19 | Deimos botnet C2 server (confidence level: 50%) | |
file112.29.177.20 | Deimos botnet C2 server (confidence level: 50%) | |
file89.203.129.78 | BianLian botnet C2 server (confidence level: 50%) | |
file159.203.124.88 | pupy botnet C2 server (confidence level: 50%) | |
file121.91.168.253 | Unknown malware botnet C2 server (confidence level: 50%) | |
file139.9.117.78 | Unknown malware botnet C2 server (confidence level: 50%) | |
file147.185.221.16 | NjRAT botnet C2 server (confidence level: 100%) | |
file209.250.245.144 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash8086 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash443 | Get2 botnet C2 server (confidence level: 80%) | |
hash2450 | Remcos botnet C2 server (confidence level: 75%) | |
hash80 | Amadey botnet C2 server (confidence level: 50%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8081 | Sliver botnet C2 server (confidence level: 80%) | |
hash8081 | RisePro botnet C2 server (confidence level: 100%) | |
hash50500 | RisePro botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | Vidar botnet C2 server (confidence level: 100%) | |
hash39001 | zgRAT botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash80 | Havoc botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash443 | pupy botnet C2 server (confidence level: 50%) | |
hash1024 | DCRat botnet C2 server (confidence level: 50%) | |
hash8848 | DCRat botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash9999 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 80%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 80%) | |
hash30003 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash4443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 80%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash3609 | Vjw0rm botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash2376 | Sliver botnet C2 server (confidence level: 80%) | |
hash443 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
hash443 | Get2 botnet C2 server (confidence level: 80%) | |
hash443 | IcedID botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2078 | Pikabot botnet C2 server (confidence level: 100%) | |
hash2222 | Pikabot botnet C2 server (confidence level: 100%) | |
hash32999 | Pikabot botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8090 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8083 | Sliver botnet C2 server (confidence level: 80%) | |
hash443 | Sliver botnet C2 server (confidence level: 80%) | |
hash443 | Sliver botnet C2 server (confidence level: 80%) | |
hash2376 | Sliver botnet C2 server (confidence level: 80%) | |
hash443 | Sliver botnet C2 server (confidence level: 80%) | |
hash2376 | Sliver botnet C2 server (confidence level: 80%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 80%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash8081 | RisePro botnet C2 server (confidence level: 100%) | |
hash50500 | RisePro botnet C2 server (confidence level: 100%) | |
hash3000 | Unknown malware botnet C2 server (confidence level: 80%) | |
hash443 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
hash443 | IcedID botnet C2 server (confidence level: 60%) | |
hash10036 | Deimos botnet C2 server (confidence level: 50%) | |
hash10036 | Deimos botnet C2 server (confidence level: 50%) | |
hash10036 | Deimos botnet C2 server (confidence level: 50%) | |
hash443 | BianLian botnet C2 server (confidence level: 50%) | |
hash1233 | pupy botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash47426 | NjRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://208.91.189.189/8882f656e94df309.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://193.201.8.110/bded386f853bed13.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://45.77.76.224/~clinics/uhjax1txlodzacvar | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://95.141.41.12/n9kd3x/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://51.89.205.213:8081/login | RisePro botnet C2 (confidence level: 100%) | |
urlhttp://milkwithlacto.fun/c2conf | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://168.119.168.251:10088/data.zip | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://168.119.168.251:10088/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://195.201.252.32/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://magaway.fun/ | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://rosaryconbo.fun/ | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://85.209.11.107/g.pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://cdnoss.sec.cm/common/view/aid | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://powellfamilydentist.com:8080/av.js | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://104.168.68.35:39001/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://135.125.201.221/load | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://135.125.201.221/__utm.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://154.221.17.44:2080/fwlink | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://20.250.1.110/contact/bsd/m9bdbrytm | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://98ygdjhdvuhj.com/vvmd54/ | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://98ygdjhdvuhj.com/zgbn19mx | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://98ygdjhdvuhj.com/lander/chrome_1695206714/_index.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://45.77.76.224/~clinics/sobdspisj8vqe | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttps://xavfgrtgrg.com/preserve/picture/ijnhfxu2x53 | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://94.142.138.43:8081/login | RisePro botnet C2 (confidence level: 100%) | |
urlhttps://ojhggnfbcy62.com/vvmd54/ | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://rollbeamone.fun/ | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://213.252.244.62 | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://157.90.248.179 | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://ojhggnfbcy62.com/zgbn19mx | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://ojhggnfbcy62.com/lander/chrome_1695206714/_index.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://209.250.245.144/jquery-3.3.1.min.js | Cobalt Strike botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domaincnc.n1gger.ru | zgRAT botnet C2 domain (confidence level: 100%) | |
domaincdn.n1gger.ru | zgRAT botnet C2 domain (confidence level: 100%) | |
domainnotdns1.noreply-alert.cloud | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domain98ygdjhdvuhj.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainxavfgrtgrg.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainawindakizend.com | IcedID botnet C2 domain (confidence level: 100%) | |
domain2flowers-my.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainblockall-my.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainblockspam-my.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainbondappeal.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainboxclod.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaincatfoodbio.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainchocomeat.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaincloudsnike-my.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaincoinflore-my.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaincoolworkss.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaincosmosvr3d.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainculturalevenings.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindeeppoetry.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindiavellipromo-my.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindogshanter.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindownloaddedattre.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindownloadfiles-my.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindromautocar.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindropfiles-my.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainducklingibises.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainglaziercarde.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainhousegrommy.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainjumperstad.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainlackbasinmu.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainpearlbarleyhit.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainpoliticuseles.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainportlandcor.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainpotatomeatball.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainpregnantflowers.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainrarefood.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainrosaryconbo.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainroyalpantss.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsatanakop.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsausagerollraisin.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainscruffymapleflat.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsendcyniaforeign.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsocialmadness.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsodafountainpr.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainstartablekor.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsuperyupp.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintalkinwhitepod.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintuberoseprod.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainvalleydod.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainveinsmoter.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwaterparkedone.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwithdrawlecterns.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwolffunny.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainyachtracingopt.fun | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainojhggnfbcy62.com | FAKEUPDATES payload delivery domain (confidence level: 100%) |
Threat ID: 682acdc4bbaf20d303f26c4d
Added to database: 5/19/2025, 6:20:52 AM
Last enriched: 6/18/2025, 7:35:38 AM
Last updated: 8/12/2025, 7:58:00 AM
Views: 15
Related Threats
ThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.