ThreatFox IOCs for 2024-12-22
ThreatFox IOCs for 2024-12-22
AI Analysis
Technical Summary
The provided threat information pertains to a malware-related intelligence report titled 'ThreatFox IOCs for 2024-12-22,' sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The threat is categorized under 'type:osint,' indicating that it primarily involves open-source intelligence data rather than a specific malware family or exploit targeting a particular software product. There are no affected software versions or specific products listed, and no associated Common Weakness Enumerations (CWEs) or patch links are provided. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination potential but limited detailed analysis or severity. The absence of known exploits in the wild and the lack of concrete IOCs or technical indicators imply that this report may be an aggregation or update of OSINT data rather than a direct malware campaign or exploit. The threat is tagged with 'tlp:white,' indicating that the information is intended for public sharing without restrictions. Overall, this report appears to be a medium-severity advisory focused on sharing intelligence data rather than describing an active, high-impact malware threat.
Potential Impact
Given the nature of this threat as an OSINT-based malware intelligence report without specific affected products or active exploits, the direct impact on European organizations is likely limited. However, the dissemination of such intelligence can indirectly affect organizations by informing them of emerging threats or malware trends. European entities relying on open-source threat intelligence feeds may benefit from early warnings, but the lack of actionable IOCs or exploit details reduces immediate risk. The medium severity rating suggests that while the threat does not currently pose a critical risk to confidentiality, integrity, or availability, organizations should remain vigilant. Potential impacts include increased exposure to malware campaigns if the intelligence is used by threat actors to refine attacks or if organizations fail to integrate this intelligence into their security monitoring. The broad and non-specific nature of the report means that no particular sector or country is uniquely targeted, but entities with mature threat intelligence capabilities may find value in correlating this data with internal logs to detect early signs of compromise.
Mitigation Recommendations
To effectively mitigate risks associated with this type of OSINT-based threat intelligence report, European organizations should: 1) Integrate ThreatFox and similar OSINT feeds into their Security Information and Event Management (SIEM) systems to enhance detection capabilities, even if specific IOCs are not provided in this report. 2) Establish processes for continuous monitoring and correlation of open-source threat intelligence with internal network and endpoint telemetry to identify emerging threats early. 3) Conduct regular threat hunting exercises using generalized indicators from OSINT sources to proactively detect potential malware activity. 4) Maintain updated and comprehensive endpoint protection solutions that can respond to a broad spectrum of malware threats, as specific signatures or exploits are not detailed here. 5) Foster information sharing with industry peers and national cybersecurity centers to contextualize OSINT data and improve collective defense. 6) Educate security teams on interpreting and operationalizing OSINT reports, emphasizing the importance of validating and enriching such data before acting upon it. These steps go beyond generic advice by focusing on operationalizing OSINT intelligence and enhancing proactive detection rather than solely relying on reactive patching or perimeter defenses.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy
Indicators of Compromise
- url: http://212.193.31.8/3ofn3jf3e2ljk2/login.php
- file: 167.71.56.116
- hash: 22342
- domain: sokrpro.com
- url: https://sokrpro.com/w78u.js
- url: https://sokrpro.com/js.php
- url: http://lgbibzuehbz.top/1.php
- domain: crayonutteh.click
- domain: discokeyus.lat
- domain: energyaffai.lat
- domain: crosshuaht.lat
- domain: grannyejh.lat
- domain: necklacebudi.lat
- domain: sustainskelet.lat
- domain: aspecteirs.lat
- domain: vikingriorityboost.com
- domain: brendon-sharjen.biz
- domain: spellshagey.biz
- domain: qamar-alsharqia.com
- url: https://qamar-alsharqia.com/work/original.js
- url: https://qamar-alsharqia.com/work/index.php
- url: https://riverflowbd.top/ytzhzjlioddlyti4/
- file: 64.176.83.165
- hash: 8080
- file: 103.195.101.209
- hash: 6666
- file: 45.79.221.12
- hash: 80
- file: 45.79.221.12
- hash: 443
- file: 194.135.104.121
- hash: 443
- url: http://59.98.142.78:44280/mozi.m
- file: 3.127.181.115
- hash: 14324
- file: 3.64.4.198
- hash: 14324
- url: http://193.143.1.116/admin/
- url: http://193.143.1.228/admin/
- url: http://193.143.1.237/admin/
- url: https://hugeproject.shop/admin/
- url: http://91.212.166.95/admin/
- url: http://147.45.44.216/auth/login
- file: 144.126.149.221
- hash: 8808
- file: 181.162.128.190
- hash: 8080
- file: 198.167.199.175
- hash: 19132
- domain: c.cc13.cn
- file: 3.69.157.220
- hash: 11237
- file: 3.68.171.119
- hash: 11237
- file: 38.54.118.123
- hash: 636
- file: 38.54.116.40
- hash: 16993
- file: 38.54.116.40
- hash: 222
- file: 38.54.116.40
- hash: 8088
- file: 38.54.116.40
- hash: 8090
- file: 38.54.116.40
- hash: 8081
- file: 52.28.247.255
- hash: 11237
- file: 23.94.70.197
- hash: 60000
- file: 107.151.251.123
- hash: 60000
- file: 103.68.175.59
- hash: 60000
- file: 209.38.190.242
- hash: 3333
- file: 3.66.38.117
- hash: 11237
- file: 18.197.239.109
- hash: 11237
- file: 3.69.115.178
- hash: 11237
- file: 189.1.242.182
- hash: 80
- file: 47.122.25.63
- hash: 9999
- file: 46.246.82.20
- hash: 5000
- file: 50.21.176.83
- hash: 7443
- domain: heuristic-gould.45-77-46-13.plesk.page
- file: 81.71.127.160
- hash: 443
- file: 120.55.164.167
- hash: 80
- file: 47.109.58.47
- hash: 80
- file: 106.54.207.245
- hash: 2095
- file: 47.100.130.85
- hash: 8443
- file: 47.237.71.252
- hash: 801
- file: 36.140.28.13
- hash: 7777
- file: 124.71.137.28
- hash: 443
- file: 104.160.41.56
- hash: 443
- file: 1.117.72.208
- hash: 80
- file: 47.242.132.18
- hash: 80
- file: 117.50.190.56
- hash: 80
- file: 154.9.253.102
- hash: 443
- file: 45.135.164.161
- hash: 443
- file: 112.124.48.6
- hash: 80
- file: 113.44.62.128
- hash: 8081
- file: 111.230.72.201
- hash: 89
- file: 222.70.23.88
- hash: 8443
- file: 87.120.115.8
- hash: 1433
- file: 222.70.23.88
- hash: 8880
- file: 103.106.3.234
- hash: 443
- file: 1.117.72.208
- hash: 8080
- file: 46.173.214.142
- hash: 443
- file: 46.173.214.136
- hash: 443
- file: 94.103.183.66
- hash: 443
- file: 154.216.20.42
- hash: 443
- file: 193.176.158.193
- hash: 443
- file: 46.173.214.218
- hash: 443
- file: 46.173.214.183
- hash: 443
- file: 194.87.102.61
- hash: 443
- file: 94.103.183.151
- hash: 443
- file: 45.152.112.146
- hash: 443
- file: 45.152.112.174
- hash: 443
- file: 193.242.145.116
- hash: 443
- file: 89.35.131.209
- hash: 443
- file: 104.21.73.229
- hash: 443
- file: 172.67.167.96
- hash: 443
- url: http://publicspeaking.co.id/okoye/panel/five/fre.php
- url: https://publicspeaking.co.id/okoye/panel/five/fre.php
- url: http://228472cm.n9shka.top/phpauthgamelongpollbigloadbaselinuxwindowstrackdatalife.php
- file: 154.205.128.136
- hash: 61543
- domain: 164.92.226.28.sslip.io
- file: 193.3.23.92
- hash: 4782
- url: http://185.219.81.132/4bcb97a14f2e1544.php
- file: 192.3.95.227
- hash: 80
- file: 54.244.190.244
- hash: 2086
- domain: eightk8ht.top
- domain: onetk1ht.top
- domain: onetk1pt.top
- domain: sixtk6ht.top
- domain: home.eightk8ht.top
- domain: home.onetk1ht.top
- file: 37.44.238.250
- hash: 80
- domain: fivetk5sb.top
- domain: home.fivetk5sb.top
- domain: eightk8sb.top
- domain: fivetk5pt.top
- domain: fortkt14sb.top
- domain: home.sixtk6sb.top
- domain: home.twentytk20ht.top
- domain: ninetk9sb.top
- domain: sixtk6sb.top
- domain: tentk10sb.top
- domain: twentytk20ht.top
- domain: twentytk20sb.top
- domain: eightk8pt.top
- domain: fivetk5ht.top
- domain: home.fivetk5ht.top
- domain: home.sixtk6pt.top
- domain: home.tentk10ht.top
- domain: home.tentk10pt.top
- domain: home.thirtgt13pt.top
- domain: home.twentytk20pt.top
- domain: ninetk9pt.top
- domain: onetk1sb.top
- domain: sixtk6pt.top
- domain: tentk10ht.top
- domain: tentk10pt.top
- domain: twentytk20pt.top
- domain: thirtgt13pt.top
- domain: thirtgt13ht.top
- domain: thirtkt13sb.top
- domain: twentytk20vt.top
- url: https://cuddlyready.xyz/api
- url: https://greywe-snotty.cyou/api
- url: https://lev-tolstoi.com/api
- url: https://hosue-billowy.cyou/api
- url: https://pollution-raker.cyou/api
- url: https://ripe-blade.cyou/api
- url: https://sendypaster.xyz/api
- url: https://smash-boiling.cyou/api
- url: https://steppriflej.xyz/api
- url: https://supporse-comment.cyou/api
- url: https://icyidentifysu.click/api
- domain: icyidentifysu.click
- domain: lev-tolstoi.com
- domain: sweepyribs.lat
- url: https://brendon-sharjen.biz/api
- domain: brendon-sharjen.biz
- file: 62.60.226.24
- hash: 80
- url: https://gracefulcallou.click/api
- domain: gracefulcallou.click
ThreatFox IOCs for 2024-12-22
Description
ThreatFox IOCs for 2024-12-22
AI-Powered Analysis
Technical Analysis
The provided threat information pertains to a malware-related intelligence report titled 'ThreatFox IOCs for 2024-12-22,' sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The threat is categorized under 'type:osint,' indicating that it primarily involves open-source intelligence data rather than a specific malware family or exploit targeting a particular software product. There are no affected software versions or specific products listed, and no associated Common Weakness Enumerations (CWEs) or patch links are provided. The technical details include a threat level of 2 (on an unspecified scale), an analysis rating of 1, and a distribution rating of 3, suggesting moderate dissemination potential but limited detailed analysis or severity. The absence of known exploits in the wild and the lack of concrete IOCs or technical indicators imply that this report may be an aggregation or update of OSINT data rather than a direct malware campaign or exploit. The threat is tagged with 'tlp:white,' indicating that the information is intended for public sharing without restrictions. Overall, this report appears to be a medium-severity advisory focused on sharing intelligence data rather than describing an active, high-impact malware threat.
Potential Impact
Given the nature of this threat as an OSINT-based malware intelligence report without specific affected products or active exploits, the direct impact on European organizations is likely limited. However, the dissemination of such intelligence can indirectly affect organizations by informing them of emerging threats or malware trends. European entities relying on open-source threat intelligence feeds may benefit from early warnings, but the lack of actionable IOCs or exploit details reduces immediate risk. The medium severity rating suggests that while the threat does not currently pose a critical risk to confidentiality, integrity, or availability, organizations should remain vigilant. Potential impacts include increased exposure to malware campaigns if the intelligence is used by threat actors to refine attacks or if organizations fail to integrate this intelligence into their security monitoring. The broad and non-specific nature of the report means that no particular sector or country is uniquely targeted, but entities with mature threat intelligence capabilities may find value in correlating this data with internal logs to detect early signs of compromise.
Mitigation Recommendations
To effectively mitigate risks associated with this type of OSINT-based threat intelligence report, European organizations should: 1) Integrate ThreatFox and similar OSINT feeds into their Security Information and Event Management (SIEM) systems to enhance detection capabilities, even if specific IOCs are not provided in this report. 2) Establish processes for continuous monitoring and correlation of open-source threat intelligence with internal network and endpoint telemetry to identify emerging threats early. 3) Conduct regular threat hunting exercises using generalized indicators from OSINT sources to proactively detect potential malware activity. 4) Maintain updated and comprehensive endpoint protection solutions that can respond to a broad spectrum of malware threats, as specific signatures or exploits are not detailed here. 5) Foster information sharing with industry peers and national cybersecurity centers to contextualize OSINT data and improve collective defense. 6) Educate security teams on interpreting and operationalizing OSINT reports, emphasizing the importance of validating and enriching such data before acting upon it. These steps go beyond generic advice by focusing on operationalizing OSINT intelligence and enhancing proactive detection rather than solely relying on reactive patching or perimeter defenses.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 4c465fac-37e7-4828-ac5e-bc6560af49e8
- Original Timestamp
- 1734912187
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://212.193.31.8/3ofn3jf3e2ljk2/login.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttps://sokrpro.com/w78u.js | FAKEUPDATES payload delivery URL (confidence level: 75%) | |
urlhttps://sokrpro.com/js.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://lgbibzuehbz.top/1.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://qamar-alsharqia.com/work/original.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://qamar-alsharqia.com/work/index.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://riverflowbd.top/ytzhzjlioddlyti4/ | Coper botnet C2 (confidence level: 100%) | |
urlhttp://59.98.142.78:44280/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://193.143.1.116/admin/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://193.143.1.228/admin/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://193.143.1.237/admin/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://hugeproject.shop/admin/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://91.212.166.95/admin/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://147.45.44.216/auth/login | Meduza Stealer botnet C2 (confidence level: 100%) | |
urlhttp://publicspeaking.co.id/okoye/panel/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttps://publicspeaking.co.id/okoye/panel/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 75%) | |
urlhttp://228472cm.n9shka.top/phpauthgamelongpollbigloadbaselinuxwindowstrackdatalife.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://185.219.81.132/4bcb97a14f2e1544.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttps://cuddlyready.xyz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://greywe-snotty.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://lev-tolstoi.com/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://hosue-billowy.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://pollution-raker.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://ripe-blade.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://sendypaster.xyz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://smash-boiling.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://steppriflej.xyz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://supporse-comment.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://icyidentifysu.click/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://brendon-sharjen.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://gracefulcallou.click/api | Lumma Stealer botnet C2 (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file167.71.56.116 | NjRAT botnet C2 server (confidence level: 75%) | |
file64.176.83.165 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.195.101.209 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.79.221.12 | Havoc botnet C2 server (confidence level: 100%) | |
file45.79.221.12 | Havoc botnet C2 server (confidence level: 100%) | |
file194.135.104.121 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
file3.127.181.115 | NjRAT botnet C2 server (confidence level: 75%) | |
file3.64.4.198 | NjRAT botnet C2 server (confidence level: 75%) | |
file144.126.149.221 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file181.162.128.190 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file198.167.199.175 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file3.69.157.220 | NjRAT botnet C2 server (confidence level: 75%) | |
file3.68.171.119 | NjRAT botnet C2 server (confidence level: 75%) | |
file38.54.118.123 | Unknown malware botnet C2 server (confidence level: 100%) | |
file38.54.116.40 | Unknown malware botnet C2 server (confidence level: 100%) | |
file38.54.116.40 | Unknown malware botnet C2 server (confidence level: 100%) | |
file38.54.116.40 | Unknown malware botnet C2 server (confidence level: 100%) | |
file38.54.116.40 | Unknown malware botnet C2 server (confidence level: 100%) | |
file38.54.116.40 | Unknown malware botnet C2 server (confidence level: 100%) | |
file52.28.247.255 | NjRAT botnet C2 server (confidence level: 75%) | |
file23.94.70.197 | Unknown malware botnet C2 server (confidence level: 100%) | |
file107.151.251.123 | Unknown malware botnet C2 server (confidence level: 100%) | |
file103.68.175.59 | Unknown malware botnet C2 server (confidence level: 100%) | |
file209.38.190.242 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.66.38.117 | NjRAT botnet C2 server (confidence level: 75%) | |
file18.197.239.109 | NjRAT botnet C2 server (confidence level: 75%) | |
file3.69.115.178 | NjRAT botnet C2 server (confidence level: 75%) | |
file189.1.242.182 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.122.25.63 | Unknown malware botnet C2 server (confidence level: 100%) | |
file46.246.82.20 | DCRat botnet C2 server (confidence level: 100%) | |
file50.21.176.83 | Unknown malware botnet C2 server (confidence level: 100%) | |
file81.71.127.160 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file120.55.164.167 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.109.58.47 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file106.54.207.245 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.100.130.85 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.237.71.252 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file36.140.28.13 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.71.137.28 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.160.41.56 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.117.72.208 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.242.132.18 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file117.50.190.56 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.9.253.102 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.135.164.161 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file112.124.48.6 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file113.44.62.128 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file111.230.72.201 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file222.70.23.88 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file87.120.115.8 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file222.70.23.88 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.106.3.234 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.117.72.208 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file46.173.214.142 | Amadey botnet C2 server (confidence level: 100%) | |
file46.173.214.136 | Amadey botnet C2 server (confidence level: 100%) | |
file94.103.183.66 | Amadey botnet C2 server (confidence level: 100%) | |
file154.216.20.42 | Amadey botnet C2 server (confidence level: 100%) | |
file193.176.158.193 | Amadey botnet C2 server (confidence level: 100%) | |
file46.173.214.218 | Amadey botnet C2 server (confidence level: 100%) | |
file46.173.214.183 | Amadey botnet C2 server (confidence level: 100%) | |
file194.87.102.61 | Amadey botnet C2 server (confidence level: 100%) | |
file94.103.183.151 | Amadey botnet C2 server (confidence level: 100%) | |
file45.152.112.146 | Amadey botnet C2 server (confidence level: 100%) | |
file45.152.112.174 | Amadey botnet C2 server (confidence level: 100%) | |
file193.242.145.116 | Amadey botnet C2 server (confidence level: 100%) | |
file89.35.131.209 | Amadey botnet C2 server (confidence level: 100%) | |
file104.21.73.229 | Amadey botnet C2 server (confidence level: 100%) | |
file172.67.167.96 | Amadey botnet C2 server (confidence level: 100%) | |
file154.205.128.136 | Mirai botnet C2 server (confidence level: 100%) | |
file193.3.23.92 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file192.3.95.227 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file54.244.190.244 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file37.44.238.250 | DCRat botnet C2 server (confidence level: 100%) | |
file62.60.226.24 | Remcos botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash22342 | NjRAT botnet C2 server (confidence level: 75%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash6666 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
hash14324 | NjRAT botnet C2 server (confidence level: 75%) | |
hash14324 | NjRAT botnet C2 server (confidence level: 75%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8080 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash19132 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash11237 | NjRAT botnet C2 server (confidence level: 75%) | |
hash11237 | NjRAT botnet C2 server (confidence level: 75%) | |
hash636 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash16993 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash222 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8088 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8090 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8081 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash11237 | NjRAT botnet C2 server (confidence level: 75%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash11237 | NjRAT botnet C2 server (confidence level: 75%) | |
hash11237 | NjRAT botnet C2 server (confidence level: 75%) | |
hash11237 | NjRAT botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9999 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash5000 | DCRat botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2095 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash801 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7777 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8081 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash89 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1433 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8880 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash443 | Amadey botnet C2 server (confidence level: 100%) | |
hash61543 | Mirai botnet C2 server (confidence level: 100%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2086 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | DCRat botnet C2 server (confidence level: 100%) | |
hash80 | Remcos botnet C2 server (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainsokrpro.com | FAKEUPDATES payload delivery domain (confidence level: 75%) | |
domaincrayonutteh.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindiscokeyus.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainenergyaffai.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaincrosshuaht.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaingrannyejh.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainnecklacebudi.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsustainskelet.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainaspecteirs.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainvikingriorityboost.com | NetSupportManager RAT botnet C2 domain (confidence level: 100%) | |
domainbrendon-sharjen.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainspellshagey.biz | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainqamar-alsharqia.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainc.cc13.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainheuristic-gould.45-77-46-13.plesk.page | Havoc botnet C2 domain (confidence level: 100%) | |
domain164.92.226.28.sslip.io | RecordBreaker botnet C2 domain (confidence level: 100%) | |
domaineightk8ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainonetk1ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainonetk1pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainsixtk6ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.eightk8ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.onetk1ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainfivetk5sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.fivetk5sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaineightk8sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainfivetk5pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainfortkt14sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.sixtk6sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.twentytk20ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainninetk9sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainsixtk6sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintentk10sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintwentytk20ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintwentytk20sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaineightk8pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainfivetk5ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.fivetk5ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.sixtk6pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.tentk10ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.tentk10pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.thirtgt13pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.twentytk20pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainninetk9pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainonetk1sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainsixtk6pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintentk10ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintentk10pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintwentytk20pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainthirtgt13pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainthirtgt13ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainthirtkt13sb.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintwentytk20vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainicyidentifysu.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainlev-tolstoi.com | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsweepyribs.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainbrendon-sharjen.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaingracefulcallou.click | Lumma Stealer botnet C2 domain (confidence level: 100%) |
Threat ID: 682c7dc4e8347ec82d2ea759
Added to database: 5/20/2025, 1:04:04 PM
Last enriched: 6/19/2025, 4:33:07 PM
Last updated: 8/16/2025, 9:41:59 AM
Views: 16
Related Threats
ThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.