Skip to main content

ThreatFox IOCs for 2024-12-23

Medium
Published: Mon Dec 23 2024 (12/23/2024, 00:00:00 UTC)
Source: ThreatFox MISP Feed
Vendor/Project: type
Product: osint

Description

ThreatFox IOCs for 2024-12-23

AI-Powered Analysis

AILast updated: 06/27/2025, 11:22:20 UTC

Technical Analysis

The provided information pertains to a set of Indicators of Compromise (IOCs) published on December 23, 2024, by the ThreatFox MISP Feed. These IOCs relate to malware activity categorized under OSINT (Open Source Intelligence), network activity, and payload delivery. The threat is classified as medium severity with no specific affected product versions or patches available. No known exploits are currently active in the wild. The technical details indicate a moderate threat level (2 out of an unspecified scale), minimal analysis (1), and moderate distribution (3). However, the absence of detailed technical indicators, specific malware family names, attack vectors, or exploitation methods limits the ability to provide a granular technical explanation. Essentially, this entry serves as an OSINT update providing network activity and payload delivery indicators that could be used for detection and threat hunting rather than describing a novel or active exploit. The lack of CWE identifiers and absence of patch information suggest this is an intelligence feed update rather than a vulnerability or exploit disclosure. The threat likely involves malware payloads delivered over the network, which could be used by attackers to compromise systems if the indicators are not detected and blocked.

Potential Impact

For European organizations, the impact of this threat depends on their ability to integrate and act upon the provided IOCs within their security monitoring and incident response processes. Since the threat involves malware payload delivery and network activity, organizations lacking robust network detection and endpoint protection could face risks of compromise, data exfiltration, or service disruption. However, the absence of known exploits in the wild and the medium severity rating suggest that immediate widespread impact is unlikely. Organizations that do not maintain updated threat intelligence feeds or fail to correlate these IOCs with their internal logs may experience delayed detection of potential intrusions. This could lead to increased dwell time for attackers and potential lateral movement within networks. The threat's OSINT nature implies it is primarily useful for enhancing situational awareness and improving detection capabilities rather than representing an imminent attack vector.

Mitigation Recommendations

European organizations should focus on integrating these IOCs into their existing security information and event management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools to enhance detection capabilities. Specific recommendations include: 1) Regularly update and validate threat intelligence feeds to ensure timely ingestion of new IOCs. 2) Conduct network traffic analysis to identify suspicious payload delivery attempts matching the provided indicators. 3) Implement strict network segmentation and monitoring to limit lateral movement if a compromise occurs. 4) Perform proactive threat hunting exercises using the IOCs to identify potential undetected infections. 5) Educate security teams on interpreting OSINT-based threat intelligence to improve response times. 6) Maintain robust backup and recovery procedures to mitigate potential impacts of malware infections. Since no patches are available, emphasis should be on detection, containment, and response rather than remediation of a specific vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
1
Distribution
3
Uuid
f9a27652-3d16-45ce-b7fc-99eba858144c
Original Timestamp
1734998588

Indicators of Compromise

Url

ValueDescriptionCopy
urlhttp://47.116.64.160:8888/supershell/login/
Unknown malware botnet C2 (confidence level: 100%)
urlhttp://110.40.134.37:8888/supershell/login/
Unknown malware botnet C2 (confidence level: 100%)
urlhttps://satpr.com/7y6y.js
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://satpr.com/js.php
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttp://poubnxu3jubz.top/1.php
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttp://47.122.25.63:9999/supershell/login/
Unknown malware botnet C2 (confidence level: 100%)
urlhttp://101.43.89.114:8888/supershell/login/
Unknown malware botnet C2 (confidence level: 100%)
urlhttp://121.41.99.166:8888/supershell/login/
Unknown malware botnet C2 (confidence level: 100%)
urlhttps://94.130.188.57
Vidar botnet C2 (confidence level: 100%)
urlhttps://95.216.183.108
Vidar botnet C2 (confidence level: 100%)
urlhttp://135.181.65.216
Stealc botnet C2 (confidence level: 100%)
urlhttp://poeiughybzu222.top/1.php
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://37.27.192.221/
Vidar botnet C2 (confidence level: 100%)
urlhttps://bijutr.shop/
Vidar botnet C2 (confidence level: 100%)
urlhttp://91.211.250.247/f53d7360a78c678c.php
Stealc botnet C2 (confidence level: 100%)
urlhttp://c999testdemo.pk6gb3.top:8092/pages/console/login.html
Unknown malware botnet C2 (confidence level: 100%)
urlhttps://dcfei.xyz/work/original.js
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://dcfei.xyz/work/index.php
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://dcfei.xyz/work/download.php
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttp://176.126.86.20/auth/login
Meduza Stealer botnet C2 (confidence level: 100%)
urlhttps://wordyfindy.lat/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://slipperyloo.lat/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://manyrestro.lat/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://shapestickyr.lat/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://talkynicer.lat/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://curverpluch.lat/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://tentabatte.lat/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://bashfulacid.lat/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://brendon-sharjen.biz/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://boneyn.com/7y6y.js
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://boneyn.com/js.php
FAKEUPDATES payload delivery URL (confidence level: 100%)
urlhttps://erectystickj.click/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://wrathful-jammy.cyou/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://awake-weaves.cyou/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://sordid-snaked.cyou/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://lev-tolstoi.com/api
Lumma Stealer botnet C2 (confidence level: 100%)
urlhttps://krakenlpay.com/8jfgnds3d/login.php
Amadey botnet C2 (confidence level: 100%)
urlhttp://193.143.1.150/server.php
StrelaStealer botnet C2 (confidence level: 100%)
urlhttp://gajaechkfhfghal.top/ghe3wcnlb1htr.php
Unknown malware botnet C2 (confidence level: 100%)
urlhttps://maddhouzz.com/updater.php
Satacom botnet C2 (confidence level: 100%)

File

ValueDescriptionCopy
file3.64.4.198
NjRAT botnet C2 server (confidence level: 75%)
file121.41.99.166
Unknown malware botnet C2 server (confidence level: 100%)
file192.169.69.26
NjRAT botnet C2 server (confidence level: 75%)
file87.120.112.234
MooBot botnet C2 server (confidence level: 75%)
file18.193.3.69
NetSupportManager RAT botnet C2 server (confidence level: 100%)
file18.193.3.69
NetSupportManager RAT botnet C2 server (confidence level: 100%)
file185.196.8.12
Cobalt Strike botnet C2 server (confidence level: 100%)
file124.222.22.192
Cobalt Strike botnet C2 server (confidence level: 100%)
file172.86.80.94
Quasar RAT botnet C2 server (confidence level: 100%)
file37.1.223.28
Quasar RAT botnet C2 server (confidence level: 100%)
file46.246.4.11
DCRat botnet C2 server (confidence level: 100%)
file50.116.23.218
Unknown malware botnet C2 server (confidence level: 100%)
file38.60.171.153
Unknown malware botnet C2 server (confidence level: 100%)
file113.44.73.93
Unknown malware botnet C2 server (confidence level: 100%)
file45.117.179.8
Unknown malware botnet C2 server (confidence level: 100%)
file51.222.12.87
Unknown malware botnet C2 server (confidence level: 100%)
file139.162.128.82
Unknown malware botnet C2 server (confidence level: 100%)
file47.92.220.146
Unknown malware botnet C2 server (confidence level: 100%)
file194.110.220.75
Unknown malware botnet C2 server (confidence level: 100%)
file18.190.157.68
Unknown malware botnet C2 server (confidence level: 100%)
file87.120.120.51
Remcos botnet C2 server (confidence level: 75%)
file134.122.134.93
ValleyRAT botnet C2 server (confidence level: 100%)
file120.24.51.177
Cobalt Strike botnet C2 server (confidence level: 100%)
file87.120.115.8
Cobalt Strike botnet C2 server (confidence level: 100%)
file154.85.10.206
ValleyRAT botnet C2 server (confidence level: 100%)
file46.17.41.15
ShadowPad botnet C2 server (confidence level: 90%)
file62.133.63.114
Hook botnet C2 server (confidence level: 100%)
file18.101.28.182
Havoc botnet C2 server (confidence level: 100%)
file43.250.172.42
ValleyRAT botnet C2 server (confidence level: 100%)
file154.216.18.146
Rhadamanthys botnet C2 server (confidence level: 100%)
file135.181.65.216
Stealc botnet C2 server (confidence level: 100%)
file107.149.220.104
Cobalt Strike botnet C2 server (confidence level: 100%)
file111.230.72.201
Cobalt Strike botnet C2 server (confidence level: 100%)
file62.60.233.240
Hook botnet C2 server (confidence level: 100%)
file34.132.16.207
Unknown malware botnet C2 server (confidence level: 100%)
file69.197.176.26
BianLian botnet C2 server (confidence level: 100%)
file37.27.192.221
Vidar botnet C2 server (confidence level: 100%)
file188.245.216.205
Vidar botnet C2 server (confidence level: 100%)
file176.126.86.20
Meduza Stealer botnet C2 server (confidence level: 50%)
file45.135.232.38
AsyncRAT botnet C2 server (confidence level: 100%)
file192.3.95.164
AsyncRAT botnet C2 server (confidence level: 100%)
file45.152.64.127
Cobalt Strike botnet C2 server (confidence level: 100%)
file38.60.217.253
Cobalt Strike botnet C2 server (confidence level: 100%)
file83.229.122.192
Cobalt Strike botnet C2 server (confidence level: 100%)
file93.123.39.68
Remcos botnet C2 server (confidence level: 100%)
file128.90.113.216
AsyncRAT botnet C2 server (confidence level: 100%)
file198.167.199.194
Quasar RAT botnet C2 server (confidence level: 100%)
file81.109.131.3
Quasar RAT botnet C2 server (confidence level: 100%)
file51.254.238.189
Havoc botnet C2 server (confidence level: 100%)
file51.254.238.189
Havoc botnet C2 server (confidence level: 100%)
file185.8.172.13
DCRat botnet C2 server (confidence level: 100%)
file89.117.94.224
Kaiji botnet C2 server (confidence level: 100%)
file124.71.207.28
MimiKatz botnet C2 server (confidence level: 100%)
file160.30.20.118
Unknown malware botnet C2 server (confidence level: 100%)
file193.143.1.150
StrelaStealer botnet C2 server (confidence level: 75%)

Hash

ValueDescriptionCopy
hash10587
NjRAT botnet C2 server (confidence level: 75%)
hash8888
Unknown malware botnet C2 server (confidence level: 100%)
hash2150
NjRAT botnet C2 server (confidence level: 75%)
hash47925
MooBot botnet C2 server (confidence level: 75%)
hash2281
NetSupportManager RAT botnet C2 server (confidence level: 100%)
hash5222
NetSupportManager RAT botnet C2 server (confidence level: 100%)
hash3322
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash8080
Quasar RAT botnet C2 server (confidence level: 100%)
hash80
Quasar RAT botnet C2 server (confidence level: 100%)
hash5000
DCRat botnet C2 server (confidence level: 100%)
hash374
Unknown malware botnet C2 server (confidence level: 100%)
hash8000
Unknown malware botnet C2 server (confidence level: 100%)
hash60000
Unknown malware botnet C2 server (confidence level: 100%)
hash443
Unknown malware botnet C2 server (confidence level: 100%)
hash3333
Unknown malware botnet C2 server (confidence level: 100%)
hash443
Unknown malware botnet C2 server (confidence level: 100%)
hash3333
Unknown malware botnet C2 server (confidence level: 100%)
hash10050
Unknown malware botnet C2 server (confidence level: 100%)
hash8080
Unknown malware botnet C2 server (confidence level: 100%)
hash2404
Remcos botnet C2 server (confidence level: 75%)
hash9090
ValleyRAT botnet C2 server (confidence level: 100%)
hash8080
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash6666
ValleyRAT botnet C2 server (confidence level: 100%)
hash80
ShadowPad botnet C2 server (confidence level: 90%)
hash443
Hook botnet C2 server (confidence level: 100%)
hash8443
Havoc botnet C2 server (confidence level: 100%)
hash17091
ValleyRAT botnet C2 server (confidence level: 100%)
hash2369
Rhadamanthys botnet C2 server (confidence level: 100%)
hash443
Stealc botnet C2 server (confidence level: 100%)
hash8ff61e4156c10b085e0c2233f24e8501
LockBit payload (confidence level: 50%)
hash1319da1523ec2a67bda016c15334c195
LockBit payload (confidence level: 50%)
hash0eff1f3ca94f1c8aeb4b720d6dd54fc3
LockBit payload (confidence level: 50%)
hashe3a12d15768160d5c534cd99df9199e9
LockBit payload (confidence level: 50%)
hash17a7cd1ead2d35ed5d69c71d4fd7386d
LockBit payload (confidence level: 50%)
hash9bb6340600f80baa4eb6777266f5f0df
LockBit payload (confidence level: 50%)
hash42cbb4743ea016868d7a049a6c9fb3fc
LockBit payload (confidence level: 50%)
hash8015d634e9e5fd003885700bca4723d8
LockBit payload (confidence level: 50%)
hasha8e97fe5a7115e42759d67f7e4d88b0d
LockBit payload (confidence level: 50%)
hashd0457a54a4905ed5d2bb8a2b7ef7be0f
LockBit payload (confidence level: 50%)
hash7e525ef64a4e27fbb325d7cb4653f0a1
LockBit payload (confidence level: 50%)
hashd96d2bcf13d55740f3bb64d45d2db94d
LockBit payload (confidence level: 50%)
hash2b84852065e28974e4081826ff09ddc1
LockBit payload (confidence level: 50%)
hashe0411fcbbff0e20922d224c3ac8c811e
LockBit payload (confidence level: 50%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash80
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Hook botnet C2 server (confidence level: 100%)
hash443
Unknown malware botnet C2 server (confidence level: 100%)
hash8443
BianLian botnet C2 server (confidence level: 100%)
hash443
Vidar botnet C2 server (confidence level: 100%)
hash443
Vidar botnet C2 server (confidence level: 100%)
hash80
Meduza Stealer botnet C2 server (confidence level: 50%)
hash52450
AsyncRAT botnet C2 server (confidence level: 100%)
hash80
AsyncRAT botnet C2 server (confidence level: 100%)
hash8088
Cobalt Strike botnet C2 server (confidence level: 100%)
hash443
Cobalt Strike botnet C2 server (confidence level: 100%)
hash2004
Cobalt Strike botnet C2 server (confidence level: 100%)
hash44122
Remcos botnet C2 server (confidence level: 100%)
hash9999
AsyncRAT botnet C2 server (confidence level: 100%)
hash19132
Quasar RAT botnet C2 server (confidence level: 100%)
hash4444
Quasar RAT botnet C2 server (confidence level: 100%)
hash80
Havoc botnet C2 server (confidence level: 100%)
hash443
Havoc botnet C2 server (confidence level: 100%)
hash22
DCRat botnet C2 server (confidence level: 100%)
hash8080
Kaiji botnet C2 server (confidence level: 100%)
hash8000
MimiKatz botnet C2 server (confidence level: 100%)
hash443
Unknown malware botnet C2 server (confidence level: 100%)
hash80
StrelaStealer botnet C2 server (confidence level: 75%)

Domain

ValueDescriptionCopy
domainsatpr.com
FAKEUPDATES payload delivery domain (confidence level: 100%)
domainpublicspeaking.co.id
Loki Password Stealer (PWS) botnet C2 domain (confidence level: 75%)
domainclickminded.agency
DarkGate botnet C2 domain (confidence level: 100%)
domainwww.exciting-goldberg.193-239-86-216.plesk.page
Havoc botnet C2 domain (confidence level: 100%)
domainmail.coinhako.us
Havoc botnet C2 domain (confidence level: 100%)
domainprincipledjs.click
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainneqi.shop
Lumma Stealer botnet C2 domain (confidence level: 50%)
domainec2-3-114-169-53.ap-northeast-1.compute.amazonaws.com
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainfb.cdn-10.mylnix.com
Cobalt Strike botnet C2 domain (confidence level: 100%)
domainasylumejkr.icu
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainrespectfulnesses.makeup
Raspberry Robin botnet C2 domain (confidence level: 100%)
domainbewailable.hair
Raspberry Robin botnet C2 domain (confidence level: 100%)
domain969d6a2f.respectfulnesses.makeup
Raspberry Robin botnet C2 domain (confidence level: 100%)
domain6t.lc
Raspberry Robin botnet C2 domain (confidence level: 100%)
domainclockersspic.click
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainbrasseriehub3.com
Amadey botnet C2 domain (confidence level: 50%)
domainsimple-updatereport.com
Amadey botnet C2 domain (confidence level: 50%)
domainoffice.enewlaw.com
FAKEUPDATES botnet C2 domain (confidence level: 100%)
domainumeharasyo.one
DUCKTAIL botnet C2 domain (confidence level: 100%)
domainsaveyourdata.shop
DUCKTAIL botnet C2 domain (confidence level: 100%)
domainswamfoxinnc.com
DBatLoader botnet C2 domain (confidence level: 100%)
domaintenth10pn.top
CryptBot botnet C2 domain (confidence level: 100%)
domainbremerhaven-mail.de
DUCKTAIL botnet C2 domain (confidence level: 100%)
domainnouisser.de
DUCKTAIL botnet C2 domain (confidence level: 100%)
domainbijutr.shop
Vidar botnet C2 domain (confidence level: 100%)
domaindcfei.xyz
FAKEUPDATES payload delivery domain (confidence level: 100%)
domainec2-52-215-25-229.eu-west-1.compute.amazonaws.com
Havoc botnet C2 domain (confidence level: 100%)
domaintwentyth20pn.top
CryptBot botnet C2 domain (confidence level: 100%)
domainfortth14pn.top
CryptBot botnet C2 domain (confidence level: 100%)
domainhome.fortth14pn.top
CryptBot botnet C2 domain (confidence level: 100%)
domainwordyfindy.lat
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainslipperyloo.lat
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainmanyrestro.lat
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainshapestickyr.lat
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaintalkynicer.lat
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaincurverpluch.lat
Lumma Stealer botnet C2 domain (confidence level: 100%)
domaintentabatte.lat
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainbashfulacid.lat
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainvolcanoyev.click
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainbrendon-sharjen.biz
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainboneyn.com
FAKEUPDATES payload delivery domain (confidence level: 100%)
domainerectystickj.click
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainwrathful-jammy.cyou
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainawake-weaves.cyou
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainsordid-snaked.cyou
Lumma Stealer botnet C2 domain (confidence level: 100%)
domainsevz7sr.top
CryptBot botnet C2 domain (confidence level: 100%)
domaincg83870.tw1.ru
DCRat botnet C2 domain (confidence level: 100%)
domainf1039159.xsph.ru
DCRat botnet C2 domain (confidence level: 100%)
domainpw323.castledev.ru
DCRat botnet C2 domain (confidence level: 100%)
domainsteamtp2.beget.tech
DCRat botnet C2 domain (confidence level: 100%)
domainf1064463.xsph.ru
DCRat botnet C2 domain (confidence level: 100%)
domaina1066647.xsph.ru
DCRat botnet C2 domain (confidence level: 100%)
domaina1067345.xsph.ru
DCRat botnet C2 domain (confidence level: 100%)
domain29358cm.darkproducts.ru
DCRat botnet C2 domain (confidence level: 100%)
domainkrakenlpay.com
Amadey botnet C2 domain (confidence level: 100%)
domaincurrentheadlines.top
Cobalt Strike botnet C2 domain (confidence level: 100%)
domaineihz18ht.top
CryptBot botnet C2 domain (confidence level: 100%)
domainsixz6pt.top
CryptBot botnet C2 domain (confidence level: 100%)
domainwww.cool-cartwright.193-239-86-216.plesk.page
Havoc botnet C2 domain (confidence level: 100%)
domainip189.ip-51-254-238.eu
Havoc botnet C2 domain (confidence level: 100%)
domainchat.edureel.ai
Unknown malware botnet C2 domain (confidence level: 100%)
domainmaddhouzz.com
Satacom botnet C2 domain (confidence level: 100%)
domaingajaechkfhfghal.top
Unknown malware botnet C2 domain (confidence level: 100%)

Threat ID: 68367c96182aa0cae23194c2

Added to database: 5/28/2025, 3:01:42 AM

Last enriched: 6/27/2025, 11:22:20 AM

Last updated: 7/28/2025, 6:38:53 PM

Views: 7

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats