ThreatFox IOCs for 2024-12-23
ThreatFox IOCs for 2024-12-23
AI Analysis
Technical Summary
The provided threat intelligence relates to a malware category entry titled "ThreatFox IOCs for 2024-12-23," sourced from ThreatFox, which is a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The entry is classified under "malware" with a medium severity rating and tagged as "type:osint" and "tlp:white," indicating that the information is open and shareable without restriction. However, the technical details are minimal, with no specific affected software versions, no CWE identifiers, no patch links, and no known exploits in the wild. The threat level is rated as 2 (on an unspecified scale), with analysis and distribution scores of 1 and 3 respectively, suggesting limited analysis depth but a moderate distribution potential. No concrete indicators such as file hashes, IP addresses, or domain names are provided, limiting the ability to perform targeted detection or response. The lack of detailed technical data implies that this entry serves primarily as a general alert or placeholder for emerging malware-related IOCs rather than a description of a specific, actively exploited malware strain.
Potential Impact
Given the absence of detailed technical information and known exploits, the immediate impact on European organizations appears limited. However, the medium severity rating and moderate distribution score suggest that this malware or related IOCs could potentially be leveraged in future campaigns. European organizations relying on open-source intelligence (OSINT) tools or platforms similar to ThreatFox might be indirectly affected if these IOCs are integrated into their threat detection systems without proper validation, potentially leading to false positives or overlooked threats. Additionally, sectors with high reliance on threat intelligence for proactive defense, such as financial services, critical infrastructure, and government agencies, could face increased risk if the malware evolves or if adversaries exploit the shared IOCs for targeted attacks. The lack of known exploits in the wild reduces the immediate threat but does not eliminate the possibility of future exploitation, especially given the dynamic nature of malware development and distribution.
Mitigation Recommendations
1. Validate and contextualize IOCs before integration: Organizations should ensure that any IOCs sourced from ThreatFox or similar platforms are verified and correlated with internal telemetry to avoid false positives or misdirected response efforts. 2. Enhance OSINT ingestion pipelines with threat intelligence fusion: Combine multiple intelligence sources to improve detection accuracy and reduce reliance on single-source data. 3. Monitor for updates: Continuously track ThreatFox and other OSINT feeds for updates or new indicators related to this malware to enable timely detection and response. 4. Implement behavioral detection: Deploy endpoint detection and response (EDR) solutions capable of identifying anomalous behaviors associated with malware, rather than relying solely on signature-based detection. 5. Conduct regular threat hunting exercises: Use the medium severity alert as a prompt to proactively search for suspicious activity within networks, especially focusing on indicators that may emerge from this or related intelligence. 6. Educate security teams on interpreting OSINT data: Provide training to ensure analysts understand the limitations and appropriate use of open-source threat intelligence to avoid overreliance or misinterpretation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
Indicators of Compromise
- url: http://47.116.64.160:8888/supershell/login/
- url: http://110.40.134.37:8888/supershell/login/
- file: 3.64.4.198
- hash: 10587
- url: https://satpr.com/7y6y.js
- domain: satpr.com
- url: https://satpr.com/js.php
- url: http://poubnxu3jubz.top/1.php
- domain: publicspeaking.co.id
- url: http://47.122.25.63:9999/supershell/login/
- url: http://101.43.89.114:8888/supershell/login/
- url: http://121.41.99.166:8888/supershell/login/
- file: 121.41.99.166
- hash: 8888
- file: 192.169.69.26
- hash: 2150
- domain: clickminded.agency
- file: 87.120.112.234
- hash: 47925
- domain: www.exciting-goldberg.193-239-86-216.plesk.page
- domain: mail.coinhako.us
- file: 18.193.3.69
- hash: 2281
- file: 18.193.3.69
- hash: 5222
- domain: principledjs.click
- domain: neqi.shop
- url: https://94.130.188.57
- url: https://95.216.183.108
- file: 185.196.8.12
- hash: 3322
- file: 124.222.22.192
- hash: 443
- file: 172.86.80.94
- hash: 8080
- file: 37.1.223.28
- hash: 80
- file: 46.246.4.11
- hash: 5000
- domain: ec2-3-114-169-53.ap-northeast-1.compute.amazonaws.com
- domain: fb.cdn-10.mylnix.com
- file: 50.116.23.218
- hash: 374
- file: 38.60.171.153
- hash: 8000
- file: 113.44.73.93
- hash: 60000
- file: 45.117.179.8
- hash: 443
- file: 51.222.12.87
- hash: 3333
- file: 139.162.128.82
- hash: 443
- file: 47.92.220.146
- hash: 3333
- file: 194.110.220.75
- hash: 10050
- file: 18.190.157.68
- hash: 8080
- domain: asylumejkr.icu
- domain: respectfulnesses.makeup
- domain: bewailable.hair
- domain: 969d6a2f.respectfulnesses.makeup
- domain: 6t.lc
- domain: clockersspic.click
- file: 87.120.120.51
- hash: 2404
- file: 134.122.134.93
- hash: 9090
- domain: brasseriehub3.com
- domain: simple-updatereport.com
- file: 120.24.51.177
- hash: 8080
- file: 87.120.115.8
- hash: 80
- domain: office.enewlaw.com
- file: 154.85.10.206
- hash: 6666
- file: 46.17.41.15
- hash: 80
- file: 62.133.63.114
- hash: 443
- file: 18.101.28.182
- hash: 8443
- file: 43.250.172.42
- hash: 17091
- domain: umeharasyo.one
- domain: saveyourdata.shop
- domain: swamfoxinnc.com
- domain: tenth10pn.top
- file: 154.216.18.146
- hash: 2369
- url: http://135.181.65.216
- file: 135.181.65.216
- hash: 443
- domain: bremerhaven-mail.de
- domain: nouisser.de
- hash: 8ff61e4156c10b085e0c2233f24e8501
- hash: 1319da1523ec2a67bda016c15334c195
- hash: 0eff1f3ca94f1c8aeb4b720d6dd54fc3
- hash: e3a12d15768160d5c534cd99df9199e9
- hash: 17a7cd1ead2d35ed5d69c71d4fd7386d
- hash: 9bb6340600f80baa4eb6777266f5f0df
- hash: 42cbb4743ea016868d7a049a6c9fb3fc
- hash: 8015d634e9e5fd003885700bca4723d8
- hash: a8e97fe5a7115e42759d67f7e4d88b0d
- hash: d0457a54a4905ed5d2bb8a2b7ef7be0f
- hash: 7e525ef64a4e27fbb325d7cb4653f0a1
- hash: d96d2bcf13d55740f3bb64d45d2db94d
- hash: 2b84852065e28974e4081826ff09ddc1
- hash: e0411fcbbff0e20922d224c3ac8c811e
- file: 107.149.220.104
- hash: 80
- file: 111.230.72.201
- hash: 80
- file: 62.60.233.240
- hash: 443
- file: 34.132.16.207
- hash: 443
- file: 69.197.176.26
- hash: 8443
- url: http://poeiughybzu222.top/1.php
- url: https://37.27.192.221/
- url: https://bijutr.shop/
- domain: bijutr.shop
- file: 37.27.192.221
- hash: 443
- file: 188.245.216.205
- hash: 443
- url: http://91.211.250.247/f53d7360a78c678c.php
- url: http://c999testdemo.pk6gb3.top:8092/pages/console/login.html
- url: https://dcfei.xyz/work/original.js
- domain: dcfei.xyz
- url: https://dcfei.xyz/work/index.php
- url: https://dcfei.xyz/work/download.php
- url: http://176.126.86.20/auth/login
- file: 176.126.86.20
- hash: 80
- file: 45.135.232.38
- hash: 52450
- file: 192.3.95.164
- hash: 80
- domain: ec2-52-215-25-229.eu-west-1.compute.amazonaws.com
- domain: twentyth20pn.top
- domain: fortth14pn.top
- domain: home.fortth14pn.top
- url: https://wordyfindy.lat/api
- url: https://slipperyloo.lat/api
- url: https://manyrestro.lat/api
- url: https://shapestickyr.lat/api
- url: https://talkynicer.lat/api
- url: https://curverpluch.lat/api
- url: https://tentabatte.lat/api
- url: https://bashfulacid.lat/api
- domain: wordyfindy.lat
- domain: slipperyloo.lat
- domain: manyrestro.lat
- domain: shapestickyr.lat
- domain: talkynicer.lat
- domain: curverpluch.lat
- domain: tentabatte.lat
- domain: bashfulacid.lat
- domain: volcanoyev.click
- url: https://brendon-sharjen.biz/api
- domain: brendon-sharjen.biz
- url: https://boneyn.com/7y6y.js
- domain: boneyn.com
- url: https://boneyn.com/js.php
- domain: erectystickj.click
- domain: wrathful-jammy.cyou
- domain: awake-weaves.cyou
- domain: sordid-snaked.cyou
- url: https://erectystickj.click/api
- url: https://wrathful-jammy.cyou/api
- url: https://awake-weaves.cyou/api
- url: https://sordid-snaked.cyou/api
- url: https://lev-tolstoi.com/api
- domain: sevz7sr.top
- domain: cg83870.tw1.ru
- domain: f1039159.xsph.ru
- domain: pw323.castledev.ru
- domain: steamtp2.beget.tech
- domain: f1064463.xsph.ru
- domain: a1066647.xsph.ru
- domain: a1067345.xsph.ru
- domain: 29358cm.darkproducts.ru
- domain: krakenlpay.com
- file: 45.152.64.127
- hash: 8088
- file: 38.60.217.253
- hash: 443
- url: https://krakenlpay.com/8jfgnds3d/login.php
- domain: currentheadlines.top
- domain: eihz18ht.top
- domain: sixz6pt.top
- file: 83.229.122.192
- hash: 2004
- file: 93.123.39.68
- hash: 44122
- file: 128.90.113.216
- hash: 9999
- file: 198.167.199.194
- hash: 19132
- file: 81.109.131.3
- hash: 4444
- file: 51.254.238.189
- hash: 80
- file: 51.254.238.189
- hash: 443
- domain: www.cool-cartwright.193-239-86-216.plesk.page
- domain: ip189.ip-51-254-238.eu
- file: 185.8.172.13
- hash: 22
- file: 89.117.94.224
- hash: 8080
- file: 124.71.207.28
- hash: 8000
- domain: chat.edureel.ai
- file: 160.30.20.118
- hash: 443
- url: http://193.143.1.150/server.php
- file: 193.143.1.150
- hash: 80
- domain: maddhouzz.com
- domain: gajaechkfhfghal.top
- url: http://gajaechkfhfghal.top/ghe3wcnlb1htr.php
- url: https://maddhouzz.com/updater.php
ThreatFox IOCs for 2024-12-23
Description
ThreatFox IOCs for 2024-12-23
AI-Powered Analysis
Technical Analysis
The provided threat intelligence relates to a malware category entry titled "ThreatFox IOCs for 2024-12-23," sourced from ThreatFox, which is a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The entry is classified under "malware" with a medium severity rating and tagged as "type:osint" and "tlp:white," indicating that the information is open and shareable without restriction. However, the technical details are minimal, with no specific affected software versions, no CWE identifiers, no patch links, and no known exploits in the wild. The threat level is rated as 2 (on an unspecified scale), with analysis and distribution scores of 1 and 3 respectively, suggesting limited analysis depth but a moderate distribution potential. No concrete indicators such as file hashes, IP addresses, or domain names are provided, limiting the ability to perform targeted detection or response. The lack of detailed technical data implies that this entry serves primarily as a general alert or placeholder for emerging malware-related IOCs rather than a description of a specific, actively exploited malware strain.
Potential Impact
Given the absence of detailed technical information and known exploits, the immediate impact on European organizations appears limited. However, the medium severity rating and moderate distribution score suggest that this malware or related IOCs could potentially be leveraged in future campaigns. European organizations relying on open-source intelligence (OSINT) tools or platforms similar to ThreatFox might be indirectly affected if these IOCs are integrated into their threat detection systems without proper validation, potentially leading to false positives or overlooked threats. Additionally, sectors with high reliance on threat intelligence for proactive defense, such as financial services, critical infrastructure, and government agencies, could face increased risk if the malware evolves or if adversaries exploit the shared IOCs for targeted attacks. The lack of known exploits in the wild reduces the immediate threat but does not eliminate the possibility of future exploitation, especially given the dynamic nature of malware development and distribution.
Mitigation Recommendations
1. Validate and contextualize IOCs before integration: Organizations should ensure that any IOCs sourced from ThreatFox or similar platforms are verified and correlated with internal telemetry to avoid false positives or misdirected response efforts. 2. Enhance OSINT ingestion pipelines with threat intelligence fusion: Combine multiple intelligence sources to improve detection accuracy and reduce reliance on single-source data. 3. Monitor for updates: Continuously track ThreatFox and other OSINT feeds for updates or new indicators related to this malware to enable timely detection and response. 4. Implement behavioral detection: Deploy endpoint detection and response (EDR) solutions capable of identifying anomalous behaviors associated with malware, rather than relying solely on signature-based detection. 5. Conduct regular threat hunting exercises: Use the medium severity alert as a prompt to proactively search for suspicious activity within networks, especially focusing on indicators that may emerge from this or related intelligence. 6. Educate security teams on interpreting OSINT data: Provide training to ensure analysts understand the limitations and appropriate use of open-source threat intelligence to avoid overreliance or misinterpretation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- f9a27652-3d16-45ce-b7fc-99eba858144c
- Original Timestamp
- 1734998588
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://47.116.64.160:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://110.40.134.37:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://satpr.com/7y6y.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://satpr.com/js.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://poubnxu3jubz.top/1.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://47.122.25.63:9999/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://101.43.89.114:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://121.41.99.166:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://94.130.188.57 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://95.216.183.108 | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://135.181.65.216 | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://poeiughybzu222.top/1.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://37.27.192.221/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://bijutr.shop/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://91.211.250.247/f53d7360a78c678c.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://c999testdemo.pk6gb3.top:8092/pages/console/login.html | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://dcfei.xyz/work/original.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://dcfei.xyz/work/index.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://dcfei.xyz/work/download.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://176.126.86.20/auth/login | Meduza Stealer botnet C2 (confidence level: 100%) | |
urlhttps://wordyfindy.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://slipperyloo.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://manyrestro.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://shapestickyr.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://talkynicer.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://curverpluch.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://tentabatte.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://bashfulacid.lat/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://brendon-sharjen.biz/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://boneyn.com/7y6y.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://boneyn.com/js.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://erectystickj.click/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://wrathful-jammy.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://awake-weaves.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://sordid-snaked.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://lev-tolstoi.com/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://krakenlpay.com/8jfgnds3d/login.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://193.143.1.150/server.php | StrelaStealer botnet C2 (confidence level: 100%) | |
urlhttp://gajaechkfhfghal.top/ghe3wcnlb1htr.php | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://maddhouzz.com/updater.php | Satacom botnet C2 (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file3.64.4.198 | NjRAT botnet C2 server (confidence level: 75%) | |
file121.41.99.166 | Unknown malware botnet C2 server (confidence level: 100%) | |
file192.169.69.26 | NjRAT botnet C2 server (confidence level: 75%) | |
file87.120.112.234 | MooBot botnet C2 server (confidence level: 75%) | |
file18.193.3.69 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.193.3.69 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file185.196.8.12 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.222.22.192 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file172.86.80.94 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file37.1.223.28 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file46.246.4.11 | DCRat botnet C2 server (confidence level: 100%) | |
file50.116.23.218 | Unknown malware botnet C2 server (confidence level: 100%) | |
file38.60.171.153 | Unknown malware botnet C2 server (confidence level: 100%) | |
file113.44.73.93 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.117.179.8 | Unknown malware botnet C2 server (confidence level: 100%) | |
file51.222.12.87 | Unknown malware botnet C2 server (confidence level: 100%) | |
file139.162.128.82 | Unknown malware botnet C2 server (confidence level: 100%) | |
file47.92.220.146 | Unknown malware botnet C2 server (confidence level: 100%) | |
file194.110.220.75 | Unknown malware botnet C2 server (confidence level: 100%) | |
file18.190.157.68 | Unknown malware botnet C2 server (confidence level: 100%) | |
file87.120.120.51 | Remcos botnet C2 server (confidence level: 75%) | |
file134.122.134.93 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file120.24.51.177 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file87.120.115.8 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.85.10.206 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file46.17.41.15 | ShadowPad botnet C2 server (confidence level: 90%) | |
file62.133.63.114 | Hook botnet C2 server (confidence level: 100%) | |
file18.101.28.182 | Havoc botnet C2 server (confidence level: 100%) | |
file43.250.172.42 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file154.216.18.146 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
file135.181.65.216 | Stealc botnet C2 server (confidence level: 100%) | |
file107.149.220.104 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file111.230.72.201 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file62.60.233.240 | Hook botnet C2 server (confidence level: 100%) | |
file34.132.16.207 | Unknown malware botnet C2 server (confidence level: 100%) | |
file69.197.176.26 | BianLian botnet C2 server (confidence level: 100%) | |
file37.27.192.221 | Vidar botnet C2 server (confidence level: 100%) | |
file188.245.216.205 | Vidar botnet C2 server (confidence level: 100%) | |
file176.126.86.20 | Meduza Stealer botnet C2 server (confidence level: 50%) | |
file45.135.232.38 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file192.3.95.164 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.152.64.127 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file38.60.217.253 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file83.229.122.192 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file93.123.39.68 | Remcos botnet C2 server (confidence level: 100%) | |
file128.90.113.216 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file198.167.199.194 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file81.109.131.3 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file51.254.238.189 | Havoc botnet C2 server (confidence level: 100%) | |
file51.254.238.189 | Havoc botnet C2 server (confidence level: 100%) | |
file185.8.172.13 | DCRat botnet C2 server (confidence level: 100%) | |
file89.117.94.224 | Kaiji botnet C2 server (confidence level: 100%) | |
file124.71.207.28 | MimiKatz botnet C2 server (confidence level: 100%) | |
file160.30.20.118 | Unknown malware botnet C2 server (confidence level: 100%) | |
file193.143.1.150 | StrelaStealer botnet C2 server (confidence level: 75%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash10587 | NjRAT botnet C2 server (confidence level: 75%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash2150 | NjRAT botnet C2 server (confidence level: 75%) | |
hash47925 | MooBot botnet C2 server (confidence level: 75%) | |
hash2281 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash5222 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash3322 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash5000 | DCRat botnet C2 server (confidence level: 100%) | |
hash374 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash10050 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 75%) | |
hash9090 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash6666 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash80 | ShadowPad botnet C2 server (confidence level: 90%) | |
hash443 | Hook botnet C2 server (confidence level: 100%) | |
hash8443 | Havoc botnet C2 server (confidence level: 100%) | |
hash17091 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash2369 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
hash443 | Stealc botnet C2 server (confidence level: 100%) | |
hash8ff61e4156c10b085e0c2233f24e8501 | LockBit payload (confidence level: 50%) | |
hash1319da1523ec2a67bda016c15334c195 | LockBit payload (confidence level: 50%) | |
hash0eff1f3ca94f1c8aeb4b720d6dd54fc3 | LockBit payload (confidence level: 50%) | |
hashe3a12d15768160d5c534cd99df9199e9 | LockBit payload (confidence level: 50%) | |
hash17a7cd1ead2d35ed5d69c71d4fd7386d | LockBit payload (confidence level: 50%) | |
hash9bb6340600f80baa4eb6777266f5f0df | LockBit payload (confidence level: 50%) | |
hash42cbb4743ea016868d7a049a6c9fb3fc | LockBit payload (confidence level: 50%) | |
hash8015d634e9e5fd003885700bca4723d8 | LockBit payload (confidence level: 50%) | |
hasha8e97fe5a7115e42759d67f7e4d88b0d | LockBit payload (confidence level: 50%) | |
hashd0457a54a4905ed5d2bb8a2b7ef7be0f | LockBit payload (confidence level: 50%) | |
hash7e525ef64a4e27fbb325d7cb4653f0a1 | LockBit payload (confidence level: 50%) | |
hashd96d2bcf13d55740f3bb64d45d2db94d | LockBit payload (confidence level: 50%) | |
hash2b84852065e28974e4081826ff09ddc1 | LockBit payload (confidence level: 50%) | |
hashe0411fcbbff0e20922d224c3ac8c811e | LockBit payload (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Hook botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | BianLian botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash80 | Meduza Stealer botnet C2 server (confidence level: 50%) | |
hash52450 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8088 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2004 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash44122 | Remcos botnet C2 server (confidence level: 100%) | |
hash9999 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash19132 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash4444 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash22 | DCRat botnet C2 server (confidence level: 100%) | |
hash8080 | Kaiji botnet C2 server (confidence level: 100%) | |
hash8000 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | StrelaStealer botnet C2 server (confidence level: 75%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainsatpr.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainpublicspeaking.co.id | Loki Password Stealer (PWS) botnet C2 domain (confidence level: 75%) | |
domainclickminded.agency | DarkGate botnet C2 domain (confidence level: 100%) | |
domainwww.exciting-goldberg.193-239-86-216.plesk.page | Havoc botnet C2 domain (confidence level: 100%) | |
domainmail.coinhako.us | Havoc botnet C2 domain (confidence level: 100%) | |
domainprincipledjs.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainneqi.shop | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainec2-3-114-169-53.ap-northeast-1.compute.amazonaws.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainfb.cdn-10.mylnix.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainasylumejkr.icu | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainrespectfulnesses.makeup | Raspberry Robin botnet C2 domain (confidence level: 100%) | |
domainbewailable.hair | Raspberry Robin botnet C2 domain (confidence level: 100%) | |
domain969d6a2f.respectfulnesses.makeup | Raspberry Robin botnet C2 domain (confidence level: 100%) | |
domain6t.lc | Raspberry Robin botnet C2 domain (confidence level: 100%) | |
domainclockersspic.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainbrasseriehub3.com | Amadey botnet C2 domain (confidence level: 50%) | |
domainsimple-updatereport.com | Amadey botnet C2 domain (confidence level: 50%) | |
domainoffice.enewlaw.com | FAKEUPDATES botnet C2 domain (confidence level: 100%) | |
domainumeharasyo.one | DUCKTAIL botnet C2 domain (confidence level: 100%) | |
domainsaveyourdata.shop | DUCKTAIL botnet C2 domain (confidence level: 100%) | |
domainswamfoxinnc.com | DBatLoader botnet C2 domain (confidence level: 100%) | |
domaintenth10pn.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainbremerhaven-mail.de | DUCKTAIL botnet C2 domain (confidence level: 100%) | |
domainnouisser.de | DUCKTAIL botnet C2 domain (confidence level: 100%) | |
domainbijutr.shop | Vidar botnet C2 domain (confidence level: 100%) | |
domaindcfei.xyz | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainec2-52-215-25-229.eu-west-1.compute.amazonaws.com | Havoc botnet C2 domain (confidence level: 100%) | |
domaintwentyth20pn.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainfortth14pn.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.fortth14pn.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainwordyfindy.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainslipperyloo.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainmanyrestro.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainshapestickyr.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintalkynicer.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaincurverpluch.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintentabatte.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainbashfulacid.lat | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainvolcanoyev.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainbrendon-sharjen.biz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainboneyn.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainerectystickj.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwrathful-jammy.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainawake-weaves.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsordid-snaked.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsevz7sr.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaincg83870.tw1.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domainf1039159.xsph.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domainpw323.castledev.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domainsteamtp2.beget.tech | DCRat botnet C2 domain (confidence level: 100%) | |
domainf1064463.xsph.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domaina1066647.xsph.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domaina1067345.xsph.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domain29358cm.darkproducts.ru | DCRat botnet C2 domain (confidence level: 100%) | |
domainkrakenlpay.com | Amadey botnet C2 domain (confidence level: 100%) | |
domaincurrentheadlines.top | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaineihz18ht.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainsixz6pt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainwww.cool-cartwright.193-239-86-216.plesk.page | Havoc botnet C2 domain (confidence level: 100%) | |
domainip189.ip-51-254-238.eu | Havoc botnet C2 domain (confidence level: 100%) | |
domainchat.edureel.ai | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainmaddhouzz.com | Satacom botnet C2 domain (confidence level: 100%) | |
domaingajaechkfhfghal.top | Unknown malware botnet C2 domain (confidence level: 100%) |
Threat ID: 682acdc4bbaf20d303f214be
Added to database: 5/19/2025, 6:20:52 AM
Last enriched: 6/18/2025, 8:05:52 AM
Last updated: 7/26/2025, 2:50:10 PM
Views: 13
Related Threats
ThreatFox IOCs for 2025-08-11
MediumFrom ClickFix to Command: A Full PowerShell Attack Chain
MediumNorth Korean Group ScarCruft Expands From Spying to Ransomware Attacks
MediumMedusaLocker ransomware group is looking for pentesters
MediumThreatFox IOCs for 2025-08-10
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.