Skip to main content

ThreatFox IOCs for 2024-11-29

Medium
Published: Fri Nov 29 2024 (11/29/2024, 00:00:00 UTC)
Source: ThreatFox
Vendor/Project: type
Product: osint

Description

ThreatFox IOCs for 2024-11-29

AI-Powered Analysis

AILast updated: 06/19/2025, 13:49:23 UTC

Technical Analysis

The provided threat intelligence pertains to a malware-related report titled "ThreatFox IOCs for 2024-11-29," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) related to various cyber threats. The report is categorized under the 'osint' product type, indicating that it primarily involves open-source intelligence data rather than a specific software product or version. No affected software versions or specific vulnerabilities (CWEs) are identified, and there are no patch links or known exploits in the wild associated with this threat at the time of publication. The technical details include a threat level rating of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination or relevance. The absence of concrete IOCs, exploit details, or targeted products implies that this report serves as a general alert or collection of intelligence rather than a detailed technical exploit or malware campaign. The 'medium' severity assigned by the source reflects a moderate risk posture, likely due to the potential for malware activity but without evidence of active exploitation or widespread impact. The TLP (Traffic Light Protocol) designation 'white' indicates that the information is intended for unrestricted public sharing. Overall, this threat intelligence entry appears to be an early-stage or informational alert about malware-related activity or indicators, emphasizing the need for vigilance but lacking specific actionable details or confirmed active threats.

Potential Impact

Given the lack of specific affected products, versions, or exploit details, the direct impact on European organizations is currently limited and primarily theoretical. However, as the threat relates to malware and is distributed via OSINT channels, there is a potential risk that malicious actors could leverage these indicators or related malware in future campaigns targeting European entities. The medium severity suggests a moderate risk to confidentiality, integrity, and availability if the malware were to be deployed effectively. European organizations, especially those relying on open-source intelligence feeds for threat detection or those in sectors commonly targeted by malware (e.g., finance, critical infrastructure, government), could face increased exposure if this threat evolves. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation. Consequently, the impact may manifest as increased malware infections leading to data breaches, operational disruptions, or espionage activities if adversaries capitalize on these indicators or related malware tools.

Mitigation Recommendations

1. Enhance OSINT Monitoring: European organizations should integrate ThreatFox and similar OSINT feeds into their threat intelligence platforms to stay updated on emerging IOCs and malware trends. 2. Proactive Threat Hunting: Security teams should conduct proactive threat hunting exercises focusing on malware behaviors associated with the indicators once available, even if no active exploits are currently known. 3. Endpoint Protection Hardening: Deploy and regularly update advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating malware activities, including heuristic and behavior-based detections. 4. Network Segmentation: Implement strict network segmentation to limit lateral movement in case of malware infection. 5. User Awareness Training: Educate employees about the risks of malware, especially those arising from OSINT sources or phishing campaigns that could deliver malware payloads. 6. Incident Response Preparedness: Update incident response plans to include scenarios involving emerging malware threats from OSINT sources, ensuring rapid containment and remediation. 7. Collaboration with CERTs: Engage with national Computer Emergency Response Teams (CERTs) and information sharing organizations to receive timely updates and coordinated defense strategies. These measures go beyond generic advice by emphasizing integration of OSINT feeds, proactive threat hunting, and collaboration with European cybersecurity entities.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
1
Distribution
3
Uuid
f480e000-2068-4975-b27d-b8e05ab2bed7
Original Timestamp
1732924989

Indicators of Compromise

File

ValueDescriptionCopy
file207.90.238.101
FAKEUPDATES botnet C2 server (confidence level: 100%)
file137.220.63.132
FAKEUPDATES botnet C2 server (confidence level: 100%)
file45.200.148.215
Mirai botnet C2 server (confidence level: 75%)
file192.169.69.26
Nanocore RAT botnet C2 server (confidence level: 100%)
file86.124.170.114
FAKEUPDATES botnet C2 server (confidence level: 100%)
file216.146.25.130
FAKEUPDATES botnet C2 server (confidence level: 100%)
file47.95.201.133
DCRat botnet C2 server (confidence level: 100%)
file113.45.192.130
Cobalt Strike botnet C2 server (confidence level: 100%)
file64.176.37.157
Cobalt Strike botnet C2 server (confidence level: 100%)
file185.92.183.140
Cobalt Strike botnet C2 server (confidence level: 100%)
file110.41.185.80
Cobalt Strike botnet C2 server (confidence level: 100%)
file5.206.227.249
Cobalt Strike botnet C2 server (confidence level: 100%)
file115.120.241.136
Cobalt Strike botnet C2 server (confidence level: 100%)
file193.242.184.203
Cobalt Strike botnet C2 server (confidence level: 100%)
file113.44.133.83
Cobalt Strike botnet C2 server (confidence level: 100%)
file124.70.90.193
Cobalt Strike botnet C2 server (confidence level: 100%)
file43.143.226.217
Cobalt Strike botnet C2 server (confidence level: 100%)
file119.3.171.150
Cobalt Strike botnet C2 server (confidence level: 100%)
file43.229.79.19
Cobalt Strike botnet C2 server (confidence level: 100%)
file8.146.211.99
Cobalt Strike botnet C2 server (confidence level: 100%)
file189.1.240.215
Cobalt Strike botnet C2 server (confidence level: 100%)
file140.143.239.224
Cobalt Strike botnet C2 server (confidence level: 100%)
file110.41.185.80
Cobalt Strike botnet C2 server (confidence level: 100%)
file129.226.54.60
Cobalt Strike botnet C2 server (confidence level: 100%)
file154.9.252.124
Cobalt Strike botnet C2 server (confidence level: 100%)
file47.109.82.220
Cobalt Strike botnet C2 server (confidence level: 100%)
file47.120.49.109
Cobalt Strike botnet C2 server (confidence level: 100%)
file81.71.13.76
Cobalt Strike botnet C2 server (confidence level: 100%)
file5.35.105.92
Cobalt Strike botnet C2 server (confidence level: 100%)
file195.201.44.101
Vidar botnet C2 server (confidence level: 100%)
file95.217.24.53
Vidar botnet C2 server (confidence level: 100%)
file103.68.62.107
Vidar botnet C2 server (confidence level: 100%)
file117.72.95.155
Unknown malware botnet C2 server (confidence level: 100%)
file118.193.32.74
Unknown malware botnet C2 server (confidence level: 100%)
file121.36.212.46
Unknown malware botnet C2 server (confidence level: 100%)
file47.120.75.155
Unknown malware botnet C2 server (confidence level: 100%)
file216.118.101.108
Unknown malware botnet C2 server (confidence level: 100%)
file38.49.39.245
Unknown malware botnet C2 server (confidence level: 100%)
file116.205.121.86
Unknown malware botnet C2 server (confidence level: 100%)
file198.98.58.127
Unknown malware botnet C2 server (confidence level: 100%)
file185.228.234.77
FAKEUPDATES payload delivery server (confidence level: 100%)
file172.65.190.172
Ghost RAT botnet C2 server (confidence level: 100%)

Hash

ValueDescriptionCopy
hash443
FAKEUPDATES botnet C2 server (confidence level: 100%)
hash443
FAKEUPDATES botnet C2 server (confidence level: 100%)
hash1995
Mirai botnet C2 server (confidence level: 75%)
hash6445
Nanocore RAT botnet C2 server (confidence level: 100%)
hash443
FAKEUPDATES botnet C2 server (confidence level: 100%)
hash443
FAKEUPDATES botnet C2 server (confidence level: 100%)
hash8848
DCRat botnet C2 server (confidence level: 100%)
hash10001
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash9600
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash1234
Cobalt Strike botnet C2 server (confidence level: 100%)
hash2095
Cobalt Strike botnet C2 server (confidence level: 100%)
hash4444
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash8443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash8080
Cobalt Strike botnet C2 server (confidence level: 100%)
hash7777
Cobalt Strike botnet C2 server (confidence level: 100%)
hash7777
Cobalt Strike botnet C2 server (confidence level: 100%)
hash8443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Vidar botnet C2 server (confidence level: 100%)
hash44
Vidar botnet C2 server (confidence level: 100%)
hash443
Vidar botnet C2 server (confidence level: 100%)
hash60000
Unknown malware botnet C2 server (confidence level: 100%)
hash60000
Unknown malware botnet C2 server (confidence level: 100%)
hash60000
Unknown malware botnet C2 server (confidence level: 100%)
hash60000
Unknown malware botnet C2 server (confidence level: 100%)
hash80
Unknown malware botnet C2 server (confidence level: 100%)
hash60000
Unknown malware botnet C2 server (confidence level: 100%)
hash60000
Unknown malware botnet C2 server (confidence level: 100%)
hash8888
Unknown malware botnet C2 server (confidence level: 100%)
hash443
FAKEUPDATES payload delivery server (confidence level: 100%)
hash8000
Ghost RAT botnet C2 server (confidence level: 100%)

Domain

ValueDescriptionCopy
domainkotov.lol
Vidar botnet C2 domain (confidence level: 100%)
domainmirailogin.xyz
Mirai botnet C2 domain (confidence level: 75%)
domainfushishandm.info
FAKEUPDATES payload delivery domain (confidence level: 75%)
domainblessedwirrow.org
FAKEUPDATES payload delivery domain (confidence level: 100%)
domainhearforpower.org
FAKEUPDATES payload delivery domain (confidence level: 100%)
domainsmthwentwrong.com
FAKEUPDATES payload delivery domain (confidence level: 100%)

Url

ValueDescriptionCopy
urlhttps://pidlirmidlir23.com/ztzkoduzmtbjyta3/
Coper botnet C2 (confidence level: 100%)
urlhttps://roskingming3333.site/mwqxmmuxnmeyymu4/
Coper botnet C2 (confidence level: 100%)
urlhttp://94.156.177.41/davinci/five/fre.php
Loki Password Stealer (PWS) botnet C2 (confidence level: 100%)
urlhttps://powermasteryonline.com/xmlrpc.php
GootLoader botnet C2 (confidence level: 75%)
urlhttps://encryption-code-verification.b-cdn.net/verify-human-recaptcha.html
Lumma Stealer payload delivery URL (confidence level: 100%)
urlhttp://kjbnfdkbf74.b-cdn.net/human-verify-system.html
Lumma Stealer payload delivery URL (confidence level: 100%)
urlhttps://92.255.57.88/7bbacc20a3bd2eb5.php
Stealc botnet C2 (confidence level: 100%)
urlhttps://195.201.44.101/
Vidar botnet C2 (confidence level: 100%)
urlhttps://kotov.lol/
Vidar botnet C2 (confidence level: 100%)
urlhttp://94.156.177.41/davinci/five/pvqdq929bsx_a_d_m1n_a.php
LokiBot botnet C2 (confidence level: 100%)
urlhttp://46.8.237.122/0d6db6b62b0bcd23.php
Stealc botnet C2 (confidence level: 100%)
urlhttp://198.98.58.127:8888/supershell/login/
Unknown malware botnet C2 (confidence level: 100%)
urlhttps://advice-mixer.cyou
Lumma Stealer botnet C2 (confidence level: 75%)
urlhttps://lumdexibuy.shop/api
Lumma Stealer botnet C2 (confidence level: 75%)
urlhttps://effect-shake.cyou
Lumma Stealer botnet C2 (confidence level: 75%)
urlhttps://effect-shake.cyou/api
Lumma Stealer botnet C2 (confidence level: 75%)
urlhttps://balloon-sneak.cyou
Lumma Stealer botnet C2 (confidence level: 75%)
urlhttps://balloon-sneak.cyou/api
Lumma Stealer botnet C2 (confidence level: 75%)
urlhttps://water-acidict.cyou
Lumma Stealer botnet C2 (confidence level: 75%)
urlhttps://water-acidict.cyou/api
Lumma Stealer botnet C2 (confidence level: 75%)
urlhttp://93.123.85.15/update/update3/protect0secure/externalrequestdefaultsql/videovideo/4pipe/eternaljavascriptrequesthttpgeneratortrackdlepublicprivateuploads.php
DCRat botnet C2 (confidence level: 100%)

Threat ID: 682c7ab9e3e6de8ceb741f22

Added to database: 5/20/2025, 12:51:05 PM

Last enriched: 6/19/2025, 1:49:23 PM

Last updated: 7/31/2025, 10:43:24 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats