ThreatFox IOCs for 2024-11-29
ThreatFox IOCs for 2024-11-29
AI Analysis
Technical Summary
The provided threat intelligence pertains to a malware-related report titled "ThreatFox IOCs for 2024-11-29," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) related to various cyber threats. The report is categorized under the 'osint' product type, indicating that it primarily involves open-source intelligence data rather than a specific software product or version. No affected software versions or specific vulnerabilities (CWEs) are identified, and there are no patch links or known exploits in the wild associated with this threat at the time of publication. The technical details include a threat level rating of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination or relevance. The absence of concrete IOCs, exploit details, or targeted products implies that this report serves as a general alert or collection of intelligence rather than a detailed technical exploit or malware campaign. The 'medium' severity assigned by the source reflects a moderate risk posture, likely due to the potential for malware activity but without evidence of active exploitation or widespread impact. The TLP (Traffic Light Protocol) designation 'white' indicates that the information is intended for unrestricted public sharing. Overall, this threat intelligence entry appears to be an early-stage or informational alert about malware-related activity or indicators, emphasizing the need for vigilance but lacking specific actionable details or confirmed active threats.
Potential Impact
Given the lack of specific affected products, versions, or exploit details, the direct impact on European organizations is currently limited and primarily theoretical. However, as the threat relates to malware and is distributed via OSINT channels, there is a potential risk that malicious actors could leverage these indicators or related malware in future campaigns targeting European entities. The medium severity suggests a moderate risk to confidentiality, integrity, and availability if the malware were to be deployed effectively. European organizations, especially those relying on open-source intelligence feeds for threat detection or those in sectors commonly targeted by malware (e.g., finance, critical infrastructure, government), could face increased exposure if this threat evolves. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation. Consequently, the impact may manifest as increased malware infections leading to data breaches, operational disruptions, or espionage activities if adversaries capitalize on these indicators or related malware tools.
Mitigation Recommendations
1. Enhance OSINT Monitoring: European organizations should integrate ThreatFox and similar OSINT feeds into their threat intelligence platforms to stay updated on emerging IOCs and malware trends. 2. Proactive Threat Hunting: Security teams should conduct proactive threat hunting exercises focusing on malware behaviors associated with the indicators once available, even if no active exploits are currently known. 3. Endpoint Protection Hardening: Deploy and regularly update advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating malware activities, including heuristic and behavior-based detections. 4. Network Segmentation: Implement strict network segmentation to limit lateral movement in case of malware infection. 5. User Awareness Training: Educate employees about the risks of malware, especially those arising from OSINT sources or phishing campaigns that could deliver malware payloads. 6. Incident Response Preparedness: Update incident response plans to include scenarios involving emerging malware threats from OSINT sources, ensuring rapid containment and remediation. 7. Collaboration with CERTs: Engage with national Computer Emergency Response Teams (CERTs) and information sharing organizations to receive timely updates and coordinated defense strategies. These measures go beyond generic advice by emphasizing integration of OSINT feeds, proactive threat hunting, and collaboration with European cybersecurity entities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- file: 207.90.238.101
- hash: 443
- file: 137.220.63.132
- hash: 443
- domain: kotov.lol
- url: https://pidlirmidlir23.com/ztzkoduzmtbjyta3/
- url: https://roskingming3333.site/mwqxmmuxnmeyymu4/
- file: 45.200.148.215
- hash: 1995
- domain: mirailogin.xyz
- file: 192.169.69.26
- hash: 6445
- url: http://94.156.177.41/davinci/five/fre.php
- file: 86.124.170.114
- hash: 443
- file: 216.146.25.130
- hash: 443
- domain: fushishandm.info
- url: https://powermasteryonline.com/xmlrpc.php
- url: https://encryption-code-verification.b-cdn.net/verify-human-recaptcha.html
- url: http://kjbnfdkbf74.b-cdn.net/human-verify-system.html
- url: https://92.255.57.88/7bbacc20a3bd2eb5.php
- domain: blessedwirrow.org
- domain: hearforpower.org
- domain: smthwentwrong.com
- file: 47.95.201.133
- hash: 8848
- file: 113.45.192.130
- hash: 10001
- file: 64.176.37.157
- hash: 80
- file: 185.92.183.140
- hash: 80
- file: 110.41.185.80
- hash: 80
- file: 5.206.227.249
- hash: 80
- file: 115.120.241.136
- hash: 80
- file: 193.242.184.203
- hash: 443
- file: 113.44.133.83
- hash: 80
- file: 124.70.90.193
- hash: 80
- file: 43.143.226.217
- hash: 80
- file: 119.3.171.150
- hash: 9600
- file: 43.229.79.19
- hash: 443
- file: 8.146.211.99
- hash: 1234
- file: 189.1.240.215
- hash: 2095
- file: 140.143.239.224
- hash: 4444
- file: 110.41.185.80
- hash: 443
- file: 129.226.54.60
- hash: 8443
- file: 154.9.252.124
- hash: 443
- file: 47.109.82.220
- hash: 8080
- file: 47.120.49.109
- hash: 7777
- file: 81.71.13.76
- hash: 7777
- file: 5.35.105.92
- hash: 8443
- url: https://195.201.44.101/
- url: https://kotov.lol/
- file: 195.201.44.101
- hash: 443
- url: http://94.156.177.41/davinci/five/pvqdq929bsx_a_d_m1n_a.php
- file: 95.217.24.53
- hash: 44
- file: 103.68.62.107
- hash: 443
- file: 117.72.95.155
- hash: 60000
- file: 118.193.32.74
- hash: 60000
- file: 121.36.212.46
- hash: 60000
- file: 47.120.75.155
- hash: 60000
- file: 216.118.101.108
- hash: 80
- file: 38.49.39.245
- hash: 60000
- file: 116.205.121.86
- hash: 60000
- url: http://46.8.237.122/0d6db6b62b0bcd23.php
- url: http://198.98.58.127:8888/supershell/login/
- file: 198.98.58.127
- hash: 8888
- file: 185.228.234.77
- hash: 443
- url: https://advice-mixer.cyou
- url: https://lumdexibuy.shop/api
- url: https://effect-shake.cyou
- url: https://effect-shake.cyou/api
- url: https://balloon-sneak.cyou
- url: https://balloon-sneak.cyou/api
- file: 172.65.190.172
- hash: 8000
- url: https://water-acidict.cyou
- url: https://water-acidict.cyou/api
- url: http://93.123.85.15/update/update3/protect0secure/externalrequestdefaultsql/videovideo/4pipe/eternaljavascriptrequesthttpgeneratortrackdlepublicprivateuploads.php
ThreatFox IOCs for 2024-11-29
Description
ThreatFox IOCs for 2024-11-29
AI-Powered Analysis
Technical Analysis
The provided threat intelligence pertains to a malware-related report titled "ThreatFox IOCs for 2024-11-29," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) related to various cyber threats. The report is categorized under the 'osint' product type, indicating that it primarily involves open-source intelligence data rather than a specific software product or version. No affected software versions or specific vulnerabilities (CWEs) are identified, and there are no patch links or known exploits in the wild associated with this threat at the time of publication. The technical details include a threat level rating of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination or relevance. The absence of concrete IOCs, exploit details, or targeted products implies that this report serves as a general alert or collection of intelligence rather than a detailed technical exploit or malware campaign. The 'medium' severity assigned by the source reflects a moderate risk posture, likely due to the potential for malware activity but without evidence of active exploitation or widespread impact. The TLP (Traffic Light Protocol) designation 'white' indicates that the information is intended for unrestricted public sharing. Overall, this threat intelligence entry appears to be an early-stage or informational alert about malware-related activity or indicators, emphasizing the need for vigilance but lacking specific actionable details or confirmed active threats.
Potential Impact
Given the lack of specific affected products, versions, or exploit details, the direct impact on European organizations is currently limited and primarily theoretical. However, as the threat relates to malware and is distributed via OSINT channels, there is a potential risk that malicious actors could leverage these indicators or related malware in future campaigns targeting European entities. The medium severity suggests a moderate risk to confidentiality, integrity, and availability if the malware were to be deployed effectively. European organizations, especially those relying on open-source intelligence feeds for threat detection or those in sectors commonly targeted by malware (e.g., finance, critical infrastructure, government), could face increased exposure if this threat evolves. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation. Consequently, the impact may manifest as increased malware infections leading to data breaches, operational disruptions, or espionage activities if adversaries capitalize on these indicators or related malware tools.
Mitigation Recommendations
1. Enhance OSINT Monitoring: European organizations should integrate ThreatFox and similar OSINT feeds into their threat intelligence platforms to stay updated on emerging IOCs and malware trends. 2. Proactive Threat Hunting: Security teams should conduct proactive threat hunting exercises focusing on malware behaviors associated with the indicators once available, even if no active exploits are currently known. 3. Endpoint Protection Hardening: Deploy and regularly update advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating malware activities, including heuristic and behavior-based detections. 4. Network Segmentation: Implement strict network segmentation to limit lateral movement in case of malware infection. 5. User Awareness Training: Educate employees about the risks of malware, especially those arising from OSINT sources or phishing campaigns that could deliver malware payloads. 6. Incident Response Preparedness: Update incident response plans to include scenarios involving emerging malware threats from OSINT sources, ensuring rapid containment and remediation. 7. Collaboration with CERTs: Engage with national Computer Emergency Response Teams (CERTs) and information sharing organizations to receive timely updates and coordinated defense strategies. These measures go beyond generic advice by emphasizing integration of OSINT feeds, proactive threat hunting, and collaboration with European cybersecurity entities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- f480e000-2068-4975-b27d-b8e05ab2bed7
- Original Timestamp
- 1732924989
Indicators of Compromise
File
Value | Description | Copy |
---|---|---|
file207.90.238.101 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
file137.220.63.132 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
file45.200.148.215 | Mirai botnet C2 server (confidence level: 75%) | |
file192.169.69.26 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file86.124.170.114 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
file216.146.25.130 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
file47.95.201.133 | DCRat botnet C2 server (confidence level: 100%) | |
file113.45.192.130 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file64.176.37.157 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.92.183.140 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file110.41.185.80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file5.206.227.249 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file115.120.241.136 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file193.242.184.203 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file113.44.133.83 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.70.90.193 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.143.226.217 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file119.3.171.150 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.229.79.19 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.146.211.99 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file189.1.240.215 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file140.143.239.224 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file110.41.185.80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file129.226.54.60 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.9.252.124 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.109.82.220 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.120.49.109 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file81.71.13.76 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file5.35.105.92 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file195.201.44.101 | Vidar botnet C2 server (confidence level: 100%) | |
file95.217.24.53 | Vidar botnet C2 server (confidence level: 100%) | |
file103.68.62.107 | Vidar botnet C2 server (confidence level: 100%) | |
file117.72.95.155 | Unknown malware botnet C2 server (confidence level: 100%) | |
file118.193.32.74 | Unknown malware botnet C2 server (confidence level: 100%) | |
file121.36.212.46 | Unknown malware botnet C2 server (confidence level: 100%) | |
file47.120.75.155 | Unknown malware botnet C2 server (confidence level: 100%) | |
file216.118.101.108 | Unknown malware botnet C2 server (confidence level: 100%) | |
file38.49.39.245 | Unknown malware botnet C2 server (confidence level: 100%) | |
file116.205.121.86 | Unknown malware botnet C2 server (confidence level: 100%) | |
file198.98.58.127 | Unknown malware botnet C2 server (confidence level: 100%) | |
file185.228.234.77 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
file172.65.190.172 | Ghost RAT botnet C2 server (confidence level: 100%) |
Hash
Value | Description | Copy |
---|---|---|
hash443 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
hash443 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
hash1995 | Mirai botnet C2 server (confidence level: 75%) | |
hash6445 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash443 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
hash443 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
hash8848 | DCRat botnet C2 server (confidence level: 100%) | |
hash10001 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9600 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1234 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2095 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7777 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7777 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash44 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
hash8000 | Ghost RAT botnet C2 server (confidence level: 100%) |
Domain
Value | Description | Copy |
---|---|---|
domainkotov.lol | Vidar botnet C2 domain (confidence level: 100%) | |
domainmirailogin.xyz | Mirai botnet C2 domain (confidence level: 75%) | |
domainfushishandm.info | FAKEUPDATES payload delivery domain (confidence level: 75%) | |
domainblessedwirrow.org | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainhearforpower.org | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainsmthwentwrong.com | FAKEUPDATES payload delivery domain (confidence level: 100%) |
Url
Value | Description | Copy |
---|---|---|
urlhttps://pidlirmidlir23.com/ztzkoduzmtbjyta3/ | Coper botnet C2 (confidence level: 100%) | |
urlhttps://roskingming3333.site/mwqxmmuxnmeyymu4/ | Coper botnet C2 (confidence level: 100%) | |
urlhttp://94.156.177.41/davinci/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttps://powermasteryonline.com/xmlrpc.php | GootLoader botnet C2 (confidence level: 75%) | |
urlhttps://encryption-code-verification.b-cdn.net/verify-human-recaptcha.html | Lumma Stealer payload delivery URL (confidence level: 100%) | |
urlhttp://kjbnfdkbf74.b-cdn.net/human-verify-system.html | Lumma Stealer payload delivery URL (confidence level: 100%) | |
urlhttps://92.255.57.88/7bbacc20a3bd2eb5.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttps://195.201.44.101/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://kotov.lol/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://94.156.177.41/davinci/five/pvqdq929bsx_a_d_m1n_a.php | LokiBot botnet C2 (confidence level: 100%) | |
urlhttp://46.8.237.122/0d6db6b62b0bcd23.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://198.98.58.127:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://advice-mixer.cyou | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://lumdexibuy.shop/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://effect-shake.cyou | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://effect-shake.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://balloon-sneak.cyou | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://balloon-sneak.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://water-acidict.cyou | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://water-acidict.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://93.123.85.15/update/update3/protect0secure/externalrequestdefaultsql/videovideo/4pipe/eternaljavascriptrequesthttpgeneratortrackdlepublicprivateuploads.php | DCRat botnet C2 (confidence level: 100%) |
Threat ID: 682c7ab9e3e6de8ceb741f22
Added to database: 5/20/2025, 12:51:05 PM
Last enriched: 6/19/2025, 1:49:23 PM
Last updated: 8/17/2025, 6:33:44 AM
Views: 13
Related Threats
ThreatFox IOCs for 2025-08-18
MediumFake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.