ThreatFox IOCs for 2024-12-23
ThreatFox IOCs for 2024-12-23
AI Analysis
Technical Summary
The provided information pertains to a set of Indicators of Compromise (IOCs) published on December 23, 2024, by the ThreatFox MISP Feed. These IOCs relate to malware activity categorized under OSINT (Open Source Intelligence), network activity, and payload delivery. The threat is classified as medium severity with no specific affected product versions or patches available. No known exploits are currently active in the wild. The technical details indicate a moderate threat level (2 out of an unspecified scale), minimal analysis (1), and moderate distribution (3). However, the absence of detailed technical indicators, specific malware family names, attack vectors, or exploitation methods limits the ability to provide a granular technical explanation. Essentially, this entry serves as an OSINT update providing network activity and payload delivery indicators that could be used for detection and threat hunting rather than describing a novel or active exploit. The lack of CWE identifiers and absence of patch information suggest this is an intelligence feed update rather than a vulnerability or exploit disclosure. The threat likely involves malware payloads delivered over the network, which could be used by attackers to compromise systems if the indicators are not detected and blocked.
Potential Impact
For European organizations, the impact of this threat depends on their ability to integrate and act upon the provided IOCs within their security monitoring and incident response processes. Since the threat involves malware payload delivery and network activity, organizations lacking robust network detection and endpoint protection could face risks of compromise, data exfiltration, or service disruption. However, the absence of known exploits in the wild and the medium severity rating suggest that immediate widespread impact is unlikely. Organizations that do not maintain updated threat intelligence feeds or fail to correlate these IOCs with their internal logs may experience delayed detection of potential intrusions. This could lead to increased dwell time for attackers and potential lateral movement within networks. The threat's OSINT nature implies it is primarily useful for enhancing situational awareness and improving detection capabilities rather than representing an imminent attack vector.
Mitigation Recommendations
European organizations should focus on integrating these IOCs into their existing security information and event management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools to enhance detection capabilities. Specific recommendations include: 1) Regularly update and validate threat intelligence feeds to ensure timely ingestion of new IOCs. 2) Conduct network traffic analysis to identify suspicious payload delivery attempts matching the provided indicators. 3) Implement strict network segmentation and monitoring to limit lateral movement if a compromise occurs. 4) Perform proactive threat hunting exercises using the IOCs to identify potential undetected infections. 5) Educate security teams on interpreting OSINT-based threat intelligence to improve response times. 6) Maintain robust backup and recovery procedures to mitigate potential impacts of malware infections. Since no patches are available, emphasis should be on detection, containment, and response rather than remediation of a specific vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- url: http://47.116.64.160:8888/supershell/login/
- url: http://110.40.134.37:8888/supershell/login/
- file: 3.64.4.198
- hash: 10587
- url: https://satpr.com/7y6y.js
- domain: satpr.com
- url: https://satpr.com/js.php
- url: http://poubnxu3jubz.top/1.php
- domain: publicspeaking.co.id
- url: http://47.122.25.63:9999/supershell/login/
- url: http://101.43.89.114:8888/supershell/login/
- url: http://121.41.99.166:8888/supershell/login/
- file: 121.41.99.166
- hash: 8888
- file: 192.169.69.26
- hash: 2150
- domain: clickminded.agency
- file: 87.120.112.234
- hash: 47925
- domain: www.exciting-goldberg.193-239-86-216.plesk.page
- domain: mail.coinhako.us
- file: 18.193.3.69
- hash: 2281
- file: 18.193.3.69
- hash: 5222
- domain: principledjs.click
- domain: neqi.shop
- url: https://94.130.188.57
- url: https://95.216.183.108
- file: 185.196.8.12
- hash: 3322
- file: 124.222.22.192
- hash: 443
- file: 172.86.80.94
- hash: 8080
- file: 37.1.223.28
- hash: 80
- file: 46.246.4.11
- hash: 5000
- domain: ec2-3-114-169-53.ap-northeast-1.compute.amazonaws.com
- domain: fb.cdn-10.mylnix.com
- file: 50.116.23.218
- hash: 374
- file: 38.60.171.153
- hash: 8000
- file: 113.44.73.93
- hash: 60000
- file: 45.117.179.8
- hash: 443
- file: 51.222.12.87
- hash: 3333
- file: 139.162.128.82
- hash: 443
- file: 47.92.220.146
- hash: 3333
- file: 194.110.220.75
- hash: 10050
- file: 18.190.157.68
- hash: 8080
- domain: asylumejkr.icu
- domain: respectfulnesses.makeup
- domain: bewailable.hair
- domain: 969d6a2f.respectfulnesses.makeup
- domain: 6t.lc
- domain: clockersspic.click
- file: 87.120.120.51
- hash: 2404
- file: 134.122.134.93
- hash: 9090
- domain: brasseriehub3.com
- domain: simple-updatereport.com
- file: 120.24.51.177
- hash: 8080
- file: 87.120.115.8
- hash: 80
- domain: office.enewlaw.com
- file: 154.85.10.206
- hash: 6666
- file: 46.17.41.15
- hash: 80
- file: 62.133.63.114
- hash: 443
- file: 18.101.28.182
- hash: 8443
- file: 43.250.172.42
- hash: 17091
- domain: umeharasyo.one
- domain: saveyourdata.shop
- domain: swamfoxinnc.com
- domain: tenth10pn.top
- file: 154.216.18.146
- hash: 2369
- url: http://135.181.65.216
- file: 135.181.65.216
- hash: 443
- domain: bremerhaven-mail.de
- domain: nouisser.de
- hash: 8ff61e4156c10b085e0c2233f24e8501
- hash: 1319da1523ec2a67bda016c15334c195
- hash: 0eff1f3ca94f1c8aeb4b720d6dd54fc3
- hash: e3a12d15768160d5c534cd99df9199e9
- hash: 17a7cd1ead2d35ed5d69c71d4fd7386d
- hash: 9bb6340600f80baa4eb6777266f5f0df
- hash: 42cbb4743ea016868d7a049a6c9fb3fc
- hash: 8015d634e9e5fd003885700bca4723d8
- hash: a8e97fe5a7115e42759d67f7e4d88b0d
- hash: d0457a54a4905ed5d2bb8a2b7ef7be0f
- hash: 7e525ef64a4e27fbb325d7cb4653f0a1
- hash: d96d2bcf13d55740f3bb64d45d2db94d
- hash: 2b84852065e28974e4081826ff09ddc1
- hash: e0411fcbbff0e20922d224c3ac8c811e
- file: 107.149.220.104
- hash: 80
- file: 111.230.72.201
- hash: 80
- file: 62.60.233.240
- hash: 443
- file: 34.132.16.207
- hash: 443
- file: 69.197.176.26
- hash: 8443
- url: http://poeiughybzu222.top/1.php
- url: https://37.27.192.221/
- url: https://bijutr.shop/
- domain: bijutr.shop
- file: 37.27.192.221
- hash: 443
- file: 188.245.216.205
- hash: 443
- url: http://91.211.250.247/f53d7360a78c678c.php
- url: http://c999testdemo.pk6gb3.top:8092/pages/console/login.html
- url: https://dcfei.xyz/work/original.js
- domain: dcfei.xyz
- url: https://dcfei.xyz/work/index.php
- url: https://dcfei.xyz/work/download.php
- url: http://176.126.86.20/auth/login
- file: 176.126.86.20
- hash: 80
- file: 45.135.232.38
- hash: 52450
- file: 192.3.95.164
- hash: 80
- domain: ec2-52-215-25-229.eu-west-1.compute.amazonaws.com
- domain: twentyth20pn.top
- domain: fortth14pn.top
- domain: home.fortth14pn.top
- url: https://wordyfindy.lat/api
- url: https://slipperyloo.lat/api
- url: https://manyrestro.lat/api
- url: https://shapestickyr.lat/api
- url: https://talkynicer.lat/api
- url: https://curverpluch.lat/api
- url: https://tentabatte.lat/api
- url: https://bashfulacid.lat/api
- domain: wordyfindy.lat
- domain: slipperyloo.lat
- domain: manyrestro.lat
- domain: shapestickyr.lat
- domain: talkynicer.lat
- domain: curverpluch.lat
- domain: tentabatte.lat
- domain: bashfulacid.lat
- domain: volcanoyev.click
- url: https://brendon-sharjen.biz/api
- domain: brendon-sharjen.biz
- url: https://boneyn.com/7y6y.js
- domain: boneyn.com
- url: https://boneyn.com/js.php
- domain: erectystickj.click
- domain: wrathful-jammy.cyou
- domain: awake-weaves.cyou
- domain: sordid-snaked.cyou
- url: https://erectystickj.click/api
- url: https://wrathful-jammy.cyou/api
- url: https://awake-weaves.cyou/api
- url: https://sordid-snaked.cyou/api
- url: https://lev-tolstoi.com/api
- domain: sevz7sr.top
- domain: cg83870.tw1.ru
- domain: f1039159.xsph.ru
- domain: pw323.castledev.ru
- domain: steamtp2.beget.tech
- domain: f1064463.xsph.ru
- domain: a1066647.xsph.ru
- domain: a1067345.xsph.ru
- domain: 29358cm.darkproducts.ru
- domain: krakenlpay.com
- file: 45.152.64.127
- hash: 8088
- file: 38.60.217.253
- hash: 443
- url: https://krakenlpay.com/8jfgnds3d/login.php
- domain: currentheadlines.top
- domain: eihz18ht.top
- domain: sixz6pt.top
- file: 83.229.122.192
- hash: 2004
- file: 93.123.39.68
- hash: 44122
- file: 128.90.113.216
- hash: 9999
- file: 198.167.199.194
- hash: 19132
- file: 81.109.131.3
- hash: 4444
- file: 51.254.238.189
- hash: 80
- file: 51.254.238.189
- hash: 443
- domain: www.cool-cartwright.193-239-86-216.plesk.page
- domain: ip189.ip-51-254-238.eu
- file: 185.8.172.13
- hash: 22
- file: 89.117.94.224
- hash: 8080
- file: 124.71.207.28
- hash: 8000
- domain: chat.edureel.ai
- file: 160.30.20.118
- hash: 443
- url: http://193.143.1.150/server.php
- file: 193.143.1.150
- hash: 80
- domain: maddhouzz.com
- domain: gajaechkfhfghal.top
- url: http://gajaechkfhfghal.top/ghe3wcnlb1htr.php
- url: https://maddhouzz.com/updater.php
ThreatFox IOCs for 2024-12-23
Description
ThreatFox IOCs for 2024-12-23
AI-Powered Analysis
Technical Analysis
The provided information pertains to a set of Indicators of Compromise (IOCs) published on December 23, 2024, by the ThreatFox MISP Feed. These IOCs relate to malware activity categorized under OSINT (Open Source Intelligence), network activity, and payload delivery. The threat is classified as medium severity with no specific affected product versions or patches available. No known exploits are currently active in the wild. The technical details indicate a moderate threat level (2 out of an unspecified scale), minimal analysis (1), and moderate distribution (3). However, the absence of detailed technical indicators, specific malware family names, attack vectors, or exploitation methods limits the ability to provide a granular technical explanation. Essentially, this entry serves as an OSINT update providing network activity and payload delivery indicators that could be used for detection and threat hunting rather than describing a novel or active exploit. The lack of CWE identifiers and absence of patch information suggest this is an intelligence feed update rather than a vulnerability or exploit disclosure. The threat likely involves malware payloads delivered over the network, which could be used by attackers to compromise systems if the indicators are not detected and blocked.
Potential Impact
For European organizations, the impact of this threat depends on their ability to integrate and act upon the provided IOCs within their security monitoring and incident response processes. Since the threat involves malware payload delivery and network activity, organizations lacking robust network detection and endpoint protection could face risks of compromise, data exfiltration, or service disruption. However, the absence of known exploits in the wild and the medium severity rating suggest that immediate widespread impact is unlikely. Organizations that do not maintain updated threat intelligence feeds or fail to correlate these IOCs with their internal logs may experience delayed detection of potential intrusions. This could lead to increased dwell time for attackers and potential lateral movement within networks. The threat's OSINT nature implies it is primarily useful for enhancing situational awareness and improving detection capabilities rather than representing an imminent attack vector.
Mitigation Recommendations
European organizations should focus on integrating these IOCs into their existing security information and event management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools to enhance detection capabilities. Specific recommendations include: 1) Regularly update and validate threat intelligence feeds to ensure timely ingestion of new IOCs. 2) Conduct network traffic analysis to identify suspicious payload delivery attempts matching the provided indicators. 3) Implement strict network segmentation and monitoring to limit lateral movement if a compromise occurs. 4) Perform proactive threat hunting exercises using the IOCs to identify potential undetected infections. 5) Educate security teams on interpreting OSINT-based threat intelligence to improve response times. 6) Maintain robust backup and recovery procedures to mitigate potential impacts of malware infections. Since no patches are available, emphasis should be on detection, containment, and response rather than remediation of a specific vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- f9a27652-3d16-45ce-b7fc-99eba858144c
- Original Timestamp
- 1734998588
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://47.116.64.160:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://110.40.134.37:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://satpr.com/7y6y.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://satpr.com/js.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://poubnxu3jubz.top/1.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://47.122.25.63:9999/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://101.43.89.114:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://121.41.99.166:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://94.130.188.57 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://95.216.183.108 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://135.181.65.216 | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://poeiughybzu222.top/1.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://37.27.192.221/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://bijutr.shop/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://91.211.250.247/f53d7360a78c678c.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://c999testdemo.pk6gb3.top:8092/pages/console/login.html | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://dcfei.xyz/work/original.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://dcfei.xyz/work/index.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://dcfei.xyz/work/download.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://176.126.86.20/auth/login | Meduza Stealer botnet C2 (confidence level: 100%) | |
urlhttps://wordyfindy.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://slipperyloo.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://manyrestro.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://shapestickyr.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://talkynicer.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://curverpluch.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://tentabatte.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://bashfulacid.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://brendon-sharjen.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://boneyn.com/7y6y.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://boneyn.com/js.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://erectystickj.click/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://wrathful-jammy.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://awake-weaves.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://sordid-snaked.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://lev-tolstoi.com/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://krakenlpay.com/8jfgnds3d/login.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://193.143.1.150/server.php | StrelaStealer botnet C2 (confidence level: 100%) | |
urlhttp://gajaechkfhfghal.top/ghe3wcnlb1htr.php | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://maddhouzz.com/updater.php | Satacom botnet C2 (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file3.64.4.198 | NjRAT botnet C2 server (confidence level: 75%) | |
file121.41.99.166 | Unknown malware botnet C2 server (confidence level: 100%) | |
file192.169.69.26 | NjRAT botnet C2 server (confidence level: 75%) | |
file87.120.112.234 | MooBot botnet C2 server (confidence level: 75%) | |
file18.193.3.69 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.193.3.69 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file185.196.8.12 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.222.22.192 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file172.86.80.94 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file37.1.223.28 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file46.246.4.11 | DCRat botnet C2 server (confidence level: 100%) | |
file50.116.23.218 | Unknown malware botnet C2 server (confidence level: 100%) | |
file38.60.171.153 | Unknown malware botnet C2 server (confidence level: 100%) | |
file113.44.73.93 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.117.179.8 | Unknown malware botnet C2 server (confidence level: 100%) | |
file51.222.12.87 | Unknown malware botnet C2 server (confidence level: 100%) | |
file139.162.128.82 | Unknown malware botnet C2 server (confidence level: 100%) | |
file47.92.220.146 | Unknown malware botnet C2 server (confidence level: 100%) | |
file194.110.220.75 | Unknown malware botnet C2 server (confidence level: 100%) | |
file18.190.157.68 | Unknown malware botnet C2 server (confidence level: 100%) | |
file87.120.120.51 | Remcos botnet C2 server (confidence level: 75%) | |
file134.122.134.93 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file120.24.51.177 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file87.120.115.8 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.85.10.206 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file46.17.41.15 | ShadowPad botnet C2 server (confidence level: 90%) | |
file62.133.63.114 | Hook botnet C2 server (confidence level: 100%) | |
file18.101.28.182 | Havoc botnet C2 server (confidence level: 100%) | |
file43.250.172.42 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file154.216.18.146 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
file135.181.65.216 | Stealc botnet C2 server (confidence level: 100%) | |
file107.149.220.104 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file111.230.72.201 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file62.60.233.240 | Hook botnet C2 server (confidence level: 100%) | |
file34.132.16.207 | Unknown malware botnet C2 server (confidence level: 100%) | |
file69.197.176.26 | BianLian botnet C2 server (confidence level: 100%) | |
file37.27.192.221 | Vidar botnet C2 server (confidence level: 100%) | |
file188.245.216.205 | Vidar botnet C2 server (confidence level: 100%) | |
file176.126.86.20 | Meduza Stealer botnet C2 server (confidence level: 50%) | |
file45.135.232.38 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file192.3.95.164 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.152.64.127 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file38.60.217.253 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file83.229.122.192 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file93.123.39.68 | Remcos botnet C2 server (confidence level: 100%) | |
file128.90.113.216 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file198.167.199.194 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file81.109.131.3 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file51.254.238.189 | Havoc botnet C2 server (confidence level: 100%) | |
file51.254.238.189 | Havoc botnet C2 server (confidence level: 100%) | |
file185.8.172.13 | DCRat botnet C2 server (confidence level: 100%) | |
file89.117.94.224 | Kaiji botnet C2 server (confidence level: 100%) | |
file124.71.207.28 | MimiKatz botnet C2 server (confidence level: 100%) | |
file160.30.20.118 | Unknown malware botnet C2 server (confidence level: 100%) | |
file193.143.1.150 | StrelaStealer botnet C2 server (confidence level: 75%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash10587 | NjRAT botnet C2 server (confidence level: 75%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash2150 | NjRAT botnet C2 server (confidence level: 75%) | |
hash47925 | MooBot botnet C2 server (confidence level: 75%) | |
hash2281 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash5222 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash3322 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash5000 | DCRat botnet C2 server (confidence level: 100%) | |
hash374 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash10050 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 75%) | |
hash9090 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash6666 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash80 | ShadowPad botnet C2 server (confidence level: 90%) | |
hash443 | Hook botnet C2 server (confidence level: 100%) | |
hash8443 | Havoc botnet C2 server (confidence level: 100%) | |
hash17091 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash2369 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
hash443 | Stealc botnet C2 server (confidence level: 100%) | |
hash8ff61e4156c10b085e0c2233f24e8501 | LockBit payload (confidence level: 50%) | |
hash1319da1523ec2a67bda016c15334c195 | LockBit payload (confidence level: 50%) | |
hash0eff1f3ca94f1c8aeb4b720d6dd54fc3 | LockBit payload (confidence level: 50%) | |
hashe3a12d15768160d5c534cd99df9199e9 | LockBit payload (confidence level: 50%) | |
hash17a7cd1ead2d35ed5d69c71d4fd7386d | LockBit payload (confidence level: 50%) | |
hash9bb6340600f80baa4eb6777266f5f0df | LockBit payload (confidence level: 50%) | |
hash42cbb4743ea016868d7a049a6c9fb3fc | LockBit payload (confidence level: 50%) | |
hash8015d634e9e5fd003885700bca4723d8 | LockBit payload (confidence level: 50%) | |
hasha8e97fe5a7115e42759d67f7e4d88b0d | LockBit payload (confidence level: 50%) | |
hashd0457a54a4905ed5d2bb8a2b7ef7be0f | LockBit payload (confidence level: 50%) | |
hash7e525ef64a4e27fbb325d7cb4653f0a1 | LockBit payload (confidence level: 50%) | |
hashd96d2bcf13d55740f3bb64d45d2db94d | LockBit payload (confidence level: 50%) | |
hash2b84852065e28974e4081826ff09ddc1 | LockBit payload (confidence level: 50%) | |
hashe0411fcbbff0e20922d224c3ac8c811e | LockBit payload (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Hook botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | BianLian botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Meduza Stealer botnet C2 server (confidence level: 50%) | |
hash52450 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8088 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2004 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash44122 | Remcos botnet C2 server (confidence level: 100%) | |
hash9999 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash19132 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash4444 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash22 | DCRat botnet C2 server (confidence level: 100%) | |
hash8080 | Kaiji botnet C2 server (confidence level: 100%) | |
hash8000 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | StrelaStealer botnet C2 server (confidence level: 75%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainsatpr.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainpublicspeaking.co.id | Loki Password Stealer (PWS) botnet C2 domain (confidence level: 75%) | |
domainclickminded.agency | DarkGate botnet C2 domain (confidence level: 100%) | |
domainwww.exciting-goldberg.193-239-86-216.plesk.page | Havoc botnet C2 domain (confidence level: 100%) | |
domainmail.coinhako.us | Havoc botnet C2 domain (confidence level: 100%) | |
domainprincipledjs.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainneqi.shop | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainec2-3-114-169-53.ap-northeast-1.compute.amazonaws.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainfb.cdn-10.mylnix.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainasylumejkr.icu | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainrespectfulnesses.makeup | Raspberry Robin botnet C2 domain (confidence level: 100%) | |
domainbewailable.hair | Raspberry Robin botnet C2 domain (confidence level: 100%) | |
domain969d6a2f.respectfulnesses.makeup | Raspberry Robin botnet C2 domain (confidence level: 100%) | |
domain6t.lc | Raspberry Robin botnet C2 domain (confidence level: 100%) | |
domainclockersspic.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainbrasseriehub3.com | Amadey botnet C2 domain (confidence level: 50%) | |
domainsimple-updatereport.com | Amadey botnet C2 domain (confidence level: 50%) | |
domainoffice.enewlaw.com | FAKEUPDATES botnet C2 domain (confidence level: 100%) | |
domainumeharasyo.one | DUCKTAIL botnet C2 domain (confidence level: 100%) | |
domainsaveyourdata.shop | DUCKTAIL botnet C2 domain (confidence level: 100%) | |
domainswamfoxinnc.com | DBatLoader botnet C2 domain (confidence level: 100%) | |
domaintenth10pn.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainbremerhaven-mail.de | DUCKTAIL botnet C2 domain (confidence level: 100%) | |
domainnouisser.de | DUCKTAIL botnet C2 domain (confidence level: 100%) | |
domainbijutr.shop | Vidar botnet C2 domain (confidence level: 100%) | |
domaindcfei.xyz | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainec2-52-215-25-229.eu-west-1.compute.amazonaws.com | Havoc botnet C2 domain (confidence level: 100%) | |
domaintwentyth20pn.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainfortth14pn.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.fortth14pn.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainwordyfindy.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainslipperyloo.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainmanyrestro.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainshapestickyr.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintalkynicer.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaincurverpluch.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintentabatte.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainbashfulacid.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainvolcanoyev.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainbrendon-sharjen.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainboneyn.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainerectystickj.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwrathful-jammy.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainawake-weaves.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsordid-snaked.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsevz7sr.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaincg83870.tw1.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domainf1039159.xsph.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domainpw323.castledev.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domainsteamtp2.beget.tech | DCRat botnet C2 domain (confidence level: 100%) | |
domainf1064463.xsph.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domaina1066647.xsph.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domaina1067345.xsph.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domain29358cm.darkproducts.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domainkrakenlpay.com | Amadey botnet C2 domain (confidence level: 100%) | |
domaincurrentheadlines.top | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaineihz18ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainsixz6pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainwww.cool-cartwright.193-239-86-216.plesk.page | Havoc botnet C2 domain (confidence level: 100%) | |
domainip189.ip-51-254-238.eu | Havoc botnet C2 domain (confidence level: 100%) | |
domainchat.edureel.ai | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainmaddhouzz.com | Satacom botnet C2 domain (confidence level: 100%) | |
domaingajaechkfhfghal.top | Unknown malware botnet C2 domain (confidence level: 100%) |
Threat ID: 68367c96182aa0cae23194c2
Added to database: 5/28/2025, 3:01:42 AM
Last enriched: 6/27/2025, 11:22:20 AM
Last updated: 8/13/2025, 11:08:23 PM
Views: 8
Related Threats
ThreatFox IOCs for 2025-08-18
MediumFake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.