Skip to main content

ThreatFox IOCs for 2024-04-10

Medium
Published: Wed Apr 10 2024 (04/10/2024, 00:00:00 UTC)
Source: MISP

Description

ThreatFox IOCs for 2024-04-10

AI-Powered Analysis

AILast updated: 07/03/2025, 06:55:15 UTC

Technical Analysis

The provided information pertains to a set of Indicators of Compromise (IOCs) published on April 10, 2024, by ThreatFox, a platform that aggregates threat intelligence data. The entry is labeled with a medium severity level but lacks specific technical details, affected software versions, or concrete exploit descriptions. The threat type is marked as 'unknown,' and no Common Weakness Enumerations (CWEs) or patch links are provided. The technical details indicate a low to moderate threat level (threatLevel: 2), minimal analysis confidence (analysis: 1), and moderate distribution (distribution: 3). The absence of indicators and known exploits in the wild suggests that this is an early-stage or low-confidence intelligence report, possibly representing emerging or unconfirmed threats. The data is tagged as OSINT (Open Source Intelligence) with a TLP:white classification, indicating it is intended for wide distribution without restrictions. Overall, this entry appears to be a preliminary or generic IOC update rather than a detailed or actionable threat report.

Potential Impact

Given the lack of specific technical details, affected systems, or exploit information, the direct impact on European organizations is difficult to ascertain. However, the medium severity rating and moderate distribution level imply that there could be some level of exposure or risk if these IOCs correspond to active or emerging threats. European organizations that rely on threat intelligence feeds like ThreatFox may use these IOCs to enhance detection capabilities. Without concrete exploit data or targeted attack patterns, the immediate operational impact is likely limited. Nevertheless, organizations should remain vigilant as such IOC updates can precede more detailed threat activity. The potential impact could include detection of malware, intrusion attempts, or reconnaissance activities if these IOCs are integrated into security monitoring tools.

Mitigation Recommendations

1. Integrate the provided IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection capabilities. 2. Maintain up-to-date threat intelligence feeds and correlate these IOCs with internal logs to identify any matching activity. 3. Conduct regular threat hunting exercises focusing on the indicators once they become available or more detailed. 4. Ensure that all systems and software are patched and updated according to vendor recommendations, even though no specific patches are linked to this IOC set. 5. Educate security teams to treat such generic IOC updates as part of a broader intelligence context and avoid overreaction to unconfirmed threats. 6. Monitor ThreatFox and other intelligence sources for follow-up reports that may provide additional context or exploit details.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
1
Distribution
3

Indicators of Compromise

Url

ValueDescriptionCopy
urlhttps://ahhhuu22cxxx.com/zdfmmdlmzwe1ztji/
Coper botnet C2 (confidence level: 80%)
urlhttps://h23hxa22f3f2a.com/zdfmmdlmzwe1ztji/
Coper botnet C2 (confidence level: 80%)
urlhttps://h13f2hah2aa.com/zdfmmdlmzwe1ztji/
Coper botnet C2 (confidence level: 80%)
urlhttps://cwcwac3f422af.com/zdfmmdlmzwe1ztji/
Coper botnet C2 (confidence level: 80%)
urlhttps://g2agfawfw.com/zdfmmdlmzwe1ztji/
Coper botnet C2 (confidence level: 80%)
urlhttps://154.23.178.106/lets.exe
DCRat payload delivery URL (confidence level: 100%)
urlhttp://38.181.35.175/lets.exe
DCRat payload delivery URL (confidence level: 100%)
urlhttps://154.23.178.139/lets.exe
DCRat payload delivery URL (confidence level: 100%)
urlhttp://154.23.178.70/lets.exe
DCRat payload delivery URL (confidence level: 100%)
urlhttps://boom.baiduboomboom.tk:2096/__utm.gif
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://116.203.15.18/
Vidar botnet C2 (confidence level: 100%)
urlhttps://covid19help.top/pdtzx.scr
Remcos payload delivery URL (confidence level: 100%)
urlhttps://119.91.214.152/ie9compatviewlist.xml
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://23.95.254.136/jquery-3.3.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://cmsdisybnererdefs.shop/mjm2ytbkogjlzju1/
Coper botnet C2 (confidence level: 80%)
urlhttps://cmsdisybnererdasd65.shop/mjm2ytbkogjlzju1/
Coper botnet C2 (confidence level: 80%)
urlhttps://cmsdisybnererdgfdgn2.com/mjm2ytbkogjlzju1/
Coper botnet C2 (confidence level: 80%)
urlhttps://cmsdisybnererd5345.com/mjm2ytbkogjlzju1/
Coper botnet C2 (confidence level: 80%)
urlhttp://samsunguniverse.com/wp-content/unsalted-condensed-soups/
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://116.205.228.160/g.pixel
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://felizcity.com/wp-content/plugins/jetpack/json-endpoints/jetpack/hays_compiled_documents.zip
Cobalt Strike payload delivery URL (confidence level: 100%)
urlhttps://156.251.162.29/ptj
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://120.46.130.73:6666/updates.rss
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://43.153.222.28/match
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://121.37.237.168:10000/updates.rss
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://173.249.196.234/cm
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://baidu.freemetb.top/azure/api/v2/userinfo/get
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://193.32.149.59/j.ad
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://114.132.62.71:8080/ga.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://121.37.237.168/cx
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://7b7cd24ea6f08b711cf4053beac43cc5.melonhack.top/api/get
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://49.232.55.153/cx
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://173.249.196.234/fwlink
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://192.168.208.130:9999/j.ad
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://62.234.27.204/download/20/zo2xy7a4bowu
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://154.92.14.6/load
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://47.236.185.166/__utm.gif
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://www.microsoftonline.info:8443/j.ad
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://8.220.200.34:8080/jquery-3.3.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttps://95.217.242.90/
Vidar botnet C2 (confidence level: 100%)
urlhttps://195.201.47.150:5432/
Vidar botnet C2 (confidence level: 100%)
urlhttp://202.144.192.44/jquery-3.3.1.min.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://38.6.178.161/api/get
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://123.56.226.153:9999/ga.js
Cobalt Strike botnet C2 (confidence level: 100%)
urlhttp://24.199.107.111/index.php/88746289041
Loki Password Stealer (PWS) botnet C2 (confidence level: 100%)

Ip dst|port

ValueDescriptionCopy
ip-dst|port77.221.137.22|443
Rhadamanthys botnet C2 server (confidence level: 100%)
ip-dst|port47.242.231.229|65503
DCRat botnet C2 server (confidence level: 100%)
ip-dst|port51.68.169.77|443
DCRat botnet C2 server (confidence level: 100%)
ip-dst|port89.105.201.98|591
DCRat botnet C2 server (confidence level: 100%)
ip-dst|port179.13.0.175|5556
NjRAT botnet C2 server (confidence level: 75%)
ip-dst|port1.15.247.249|2096
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port51.79.87.4|8732
Mirai botnet C2 server (confidence level: 75%)
ip-dst|port116.203.15.18|443
Vidar botnet C2 server (confidence level: 100%)
ip-dst|port167.71.105.169|443
Havoc botnet C2 server (confidence level: 50%)
ip-dst|port47.245.38.152|443
Havoc botnet C2 server (confidence level: 50%)
ip-dst|port47.236.151.19|443
Havoc botnet C2 server (confidence level: 50%)
ip-dst|port167.172.246.65|80
Havoc botnet C2 server (confidence level: 50%)
ip-dst|port167.172.246.65|443
Havoc botnet C2 server (confidence level: 50%)
ip-dst|port8.140.193.181|8443
Havoc botnet C2 server (confidence level: 50%)
ip-dst|port97.118.50.67|993
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port188.126.90.3|5000
DCRat botnet C2 server (confidence level: 50%)
ip-dst|port51.116.96.182|4000
DCRat botnet C2 server (confidence level: 50%)
ip-dst|port46.246.14.9|6000
DCRat botnet C2 server (confidence level: 50%)
ip-dst|port179.13.2.154|2230
DCRat botnet C2 server (confidence level: 50%)
ip-dst|port111.223.247.163|8888
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port101.200.214.198|8888
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port121.36.61.185|8888
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port101.200.160.159|8888
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port194.87.236.115|80
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port106.54.222.22|80
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port38.89.76.175|61915
Bashlite botnet C2 server (confidence level: 75%)
ip-dst|port166.88.61.185|606
Bashlite botnet C2 server (confidence level: 75%)
ip-dst|port91.92.253.58|23
Bashlite botnet C2 server (confidence level: 75%)
ip-dst|port91.92.240.123|999
Bashlite botnet C2 server (confidence level: 75%)
ip-dst|port45.148.244.74|839
Bashlite botnet C2 server (confidence level: 75%)
ip-dst|port94.156.8.110|80
MooBot botnet C2 server (confidence level: 100%)
ip-dst|port14.225.219.227|80
MooBot botnet C2 server (confidence level: 100%)
ip-dst|port23.95.254.136|443
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port91.92.242.187|55555
Mirai botnet C2 server (confidence level: 75%)
ip-dst|port79.137.192.4|80
AMOS botnet C2 server (confidence level: 100%)
ip-dst|port93.123.85.100|1337
Mirai botnet C2 server (confidence level: 100%)
ip-dst|port141.98.10.76|59666
Mirai botnet C2 server (confidence level: 100%)
ip-dst|port89.185.84.115|23
Mirai botnet C2 server (confidence level: 100%)
ip-dst|port45.61.141.168|35228
RedLine Stealer botnet C2 server (confidence level: 100%)
ip-dst|port202.144.192.44|53
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port154.204.177.133|80
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port154.204.177.133|443
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port121.37.237.168|80
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port47.236.185.166|443
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port95.217.242.90|443
Vidar botnet C2 server (confidence level: 100%)
ip-dst|port195.201.47.150|5432
Vidar botnet C2 server (confidence level: 100%)
ip-dst|port202.144.192.44|80
Cobalt Strike botnet C2 server (confidence level: 100%)
ip-dst|port213.195.121.48|5001
AsyncRAT botnet C2 server (confidence level: 80%)
ip-dst|port72.203.198.245|8009
Xtreme RAT botnet C2 server (confidence level: 80%)
ip-dst|port174.75.184.124|2083
Xtreme RAT botnet C2 server (confidence level: 80%)
ip-dst|port66.50.11.141|1800
Remcos botnet C2 server (confidence level: 80%)
ip-dst|port94.98.197.28|3460
Poison Ivy botnet C2 server (confidence level: 80%)
ip-dst|port207.180.230.175|9443
Havoc botnet C2 server (confidence level: 80%)
ip-dst|port3.105.98.157|443
Havoc botnet C2 server (confidence level: 80%)
ip-dst|port212.113.106.100|31337
Sliver botnet C2 server (confidence level: 50%)
ip-dst|port137.220.197.178|80
Havoc botnet C2 server (confidence level: 80%)
ip-dst|port116.177.245.48|4505
Deimos botnet C2 server (confidence level: 50%)
ip-dst|port43.129.31.231|8858
DCRat botnet C2 server (confidence level: 80%)
ip-dst|port88.214.59.115|8848
DCRat botnet C2 server (confidence level: 80%)
ip-dst|port202.95.23.39|5555
DCRat botnet C2 server (confidence level: 80%)
ip-dst|port95.172.23.98|8848
DCRat botnet C2 server (confidence level: 80%)
ip-dst|port185.62.57.235|445
Responder botnet C2 server (confidence level: 50%)
ip-dst|port46.246.84.3|7000
DCRat botnet C2 server (confidence level: 80%)
ip-dst|port62.1.168.180|995
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port94.156.10.201|8848
DCRat botnet C2 server (confidence level: 80%)
ip-dst|port86.22.67.194|443
QakBot botnet C2 server (confidence level: 50%)
ip-dst|port103.186.108.212|8848
DCRat botnet C2 server (confidence level: 80%)
ip-dst|port216.83.36.247|8888
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port171.41.198.122|25565
DCRat botnet C2 server (confidence level: 80%)
ip-dst|port46.246.82.12|7000
DCRat botnet C2 server (confidence level: 80%)
ip-dst|port47.93.173.235|8888
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port123.57.137.235|8888
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port47.93.174.136|8888
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port43.128.177.204|8888
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port47.108.204.218|8888
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port154.40.47.121|80
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port91.92.252.146|80
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port92.63.96.171|80
Unknown malware botnet C2 server (confidence level: 50%)
ip-dst|port45.128.232.135|443
FAKEUPDATES botnet C2 server (confidence level: 50%)
ip-dst|port45.128.232.135|80
FAKEUPDATES botnet C2 server (confidence level: 50%)
ip-dst|port38.92.40.19|8081
RisePro botnet C2 server (confidence level: 80%)
ip-dst|port45.61.139.225|8081
RisePro botnet C2 server (confidence level: 80%)
ip-dst|port104.21.67.23|80
MintStealer botnet C2 server (confidence level: 80%)
ip-dst|port172.67.211.144|443
MintStealer botnet C2 server (confidence level: 80%)
ip-dst|port104.21.96.39|80
MintStealer botnet C2 server (confidence level: 80%)

Domain

ValueDescriptionCopy
domainkuailianv.com
DCRat botnet C2 domain (confidence level: 100%)
domainwinarkamaps.com
Unidentified 111 (Latrodectus) botnet C2 domain (confidence level: 75%)
domainstratimasesstr.com
Unidentified 111 (Latrodectus) botnet C2 domain (confidence level: 75%)
domainboom.baiduboomboom.tk
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainemv1.ib-comm-gateway.com
Mirai botnet C2 domain (confidence level: 100%)
domainzhudaji.com
Mirai botnet C2 domain (confidence level: 100%)
domainrubiconviewer.buzz
Mirai botnet C2 domain (confidence level: 100%)
domainhatsune.network
Mirai botnet C2 domain (confidence level: 100%)
domainint.hatsune.network
Mirai botnet C2 domain (confidence level: 100%)
domaindsbr.cam
Loki Password Stealer (PWS) botnet C2 domain (confidence level: 75%)
domainjswl.vipsf888.com
MooBot botnet C2 domain (confidence level: 100%)
domainns1.fdsagwagfdsba.xyz
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainbaidu.freemetb.top
Cobalt Strike botnet C2 domain (confidence level: 100%)
domain7b7cd24ea6f08b711cf4053beac43cc5.melonhack.top
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainwww.microsoftonline.info
Cobalt Strike botnet C2 domain (confidence level: 100%)

Threat ID: 6828eab9e1a0c275ea6e3070

Added to database: 5/17/2025, 7:59:53 PM

Last enriched: 7/3/2025, 6:55:15 AM

Last updated: 8/14/2025, 6:02:41 PM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats