ThreatFox IOCs for 2024-12-26
ThreatFox IOCs for 2024-12-26
AI Analysis
Technical Summary
The provided information pertains to a malware-related threat identified as 'ThreatFox IOCs for 2024-12-26,' sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The threat is categorized under 'type:osint,' indicating that it primarily involves open-source intelligence data or is related to the collection and use of publicly available information for malicious purposes. There are no specific affected product versions or detailed technical indicators provided, and no known exploits in the wild have been reported as of the publication date (December 26, 2024). The threat level is rated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting moderate distribution but limited analysis depth. The absence of detailed CWEs, patch links, or specific attack vectors limits the granularity of technical insight. However, the presence of IOCs implies that this threat involves malware that may be detected or tracked through these indicators, potentially facilitating reconnaissance, data exfiltration, or further exploitation. The 'tlp:white' tag indicates that the information is freely shareable without restriction, which may aid in collaborative defense efforts. Overall, this threat appears to be a medium-severity malware campaign or intelligence set that is currently not actively exploited but could pose risks if leveraged in targeted attacks or combined with other vulnerabilities.
Potential Impact
For European organizations, the impact of this threat is currently assessed as medium due to the lack of active exploitation and detailed technical specifics. However, given that the threat involves malware with associated IOCs, there is potential for unauthorized data collection, espionage, or disruption if the malware is deployed in targeted campaigns. Organizations relying on open-source intelligence tools or those with exposure to publicly accessible systems may be at increased risk. The malware could facilitate initial access or lateral movement within networks, potentially compromising confidentiality and integrity of sensitive data. Availability impact appears limited at this stage due to no reported active exploits. The medium severity suggests that while immediate widespread damage is unlikely, the threat could be leveraged in more sophisticated attacks, especially against sectors with high-value data or critical infrastructure. European entities in finance, government, and technology sectors should be particularly vigilant, as they are common targets for malware campaigns leveraging OSINT techniques.
Mitigation Recommendations
1. Implement proactive IOC-based detection by integrating ThreatFox IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enable early identification of potential malware activity. 2. Conduct regular threat hunting exercises focused on OSINT-related malware indicators, emphasizing network traffic analysis and endpoint behavior anomalies. 3. Harden open-source intelligence gathering tools and restrict access to minimize exposure to malicious payloads or compromised data sources. 4. Enforce strict network segmentation and least privilege access controls to limit lateral movement in case of infection. 5. Maintain up-to-date threat intelligence sharing with trusted partners and participate in information sharing communities to stay informed about emerging variants or exploitation attempts. 6. Educate security teams on the nuances of OSINT-related threats and the importance of correlating IOCs with internal telemetry for comprehensive detection. 7. Regularly update and patch all systems, even though no specific patches are linked to this threat, to reduce the attack surface for potential exploitation combined with this malware.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- domain: company-telecom.gl.at.ply.gg
- file: 64.23.249.232
- hash: 1995
- domain: google-br.duckdns.org
- file: 47.96.13.97
- hash: 60000
- file: 103.234.72.11
- hash: 8888
- file: 104.194.133.200
- hash: 4439
- file: 51.195.224.150
- hash: 4444
- file: 35.183.18.22
- hash: 6846
- file: 79.110.49.141
- hash: 80
- file: 18.162.79.80
- hash: 9000
- file: 45.129.199.234
- hash: 80
- url: https://consirepdi.biz/login
- url: https://abaftebeetl.biz/login
- file: 103.242.12.203
- hash: 8686
- file: 13.38.65.151
- hash: 8088
- file: 52.10.174.127
- hash: 49127
- file: 88.252.172.73
- hash: 888
- file: 88.252.172.73
- hash: 2003
- file: 88.252.172.73
- hash: 2004
- file: 88.252.172.73
- hash: 20000
- domain: 165-22-250-3.cprapid.com
- file: 182.92.206.168
- hash: 60000
- file: 48.217.82.81
- hash: 3333
- file: 209.38.144.199
- hash: 8443
- file: 193.31.41.56
- hash: 3333
- file: 54.91.28.108
- hash: 443
- file: 104.248.166.199
- hash: 1337
- file: 18.135.30.45
- hash: 4084
- file: 147.185.221.24
- hash: 37334
- domain: problems-onion.gl.at.ply.gg
- file: 59.110.47.61
- hash: 80
- file: 1.94.63.197
- hash: 9999
- file: 185.147.124.179
- hash: 15647
- file: 185.147.124.179
- hash: 15747
- file: 3.123.228.130
- hash: 9042
- file: 18.159.141.158
- hash: 37036
- file: 154.64.244.69
- hash: 80
- file: 47.122.64.186
- hash: 8888
- file: 47.97.121.215
- hash: 7777
- file: 39.106.2.51
- hash: 443
- file: 121.40.112.176
- hash: 8087
- file: 198.44.174.39
- hash: 4433
- file: 42.240.133.45
- hash: 8800
- file: 87.120.115.8
- hash: 443
- file: 42.193.217.148
- hash: 443
- file: 120.46.9.210
- hash: 5555
- file: 8.152.197.112
- hash: 7777
- file: 104.250.169.102
- hash: 443
- file: 8.137.105.126
- hash: 1234
- file: 198.181.32.32
- hash: 1080
- file: 47.76.118.8
- hash: 8888
- file: 93.179.101.17
- hash: 80
- hash: ba4039b27f64a90d1038905f8b8804d0
- hash: 0a6dd4eee2a0629d1da62f248a17ec80
- hash: d72c3508cbb968c478e0bd91e0f11424
- hash: bfc3dfd07dcf918bb87126fac4c62e7c
- hash: dfb38db3eeee3287524d4d3aacae8c45
- file: 121.37.140.40
- hash: 6666
- domain: stock.letsgoautomotive.com
- url: http://lopatasovka.ru/generatordlepublic.php
- url: http://649521cm.renyash.ru/pipetojavascriptrequestpollcpubasetestprivatetemp.php
- domain: treehoneyi.click
- domain: awake-weaves.cyou
- domain: fantassyzwi.click
- domain: sordid-snaked.cyou
- domain: wrathful-jammy.cyou
- domain: lev-tolstoi.com
- domain: notebookgi.click
- domain: senc1.melody-wave.shop
- domain: triptrip.melody-wave.shop
- domain: panelmaideus.click
- domain: locketplyxx.click
- domain: klipsyzogey.shop
- url: https://sordid-snaked.cyou/api
- url: https://awake-weaves.cyou/api
- url: https://wrathful-jammy.cyou/api
- domain: awake-weaves.cyou
- domain: sordid-snaked.cyou
- domain: wrathful-jammy.cyou
- domain: slimmybearz.click
- url: https://appliacnesot.buzz/api
- url: https://cashfuzysao.buzz/api
- url: https://hummskitnj.buzz/api
- url: https://inherineau.buzz/api
- url: https://mindhandru.buzz/api
- url: https://prisonyfork.buzz/api
- url: https://rebuildeso.buzz/api
- url: https://scentniej.buzz/api
- url: https://screwamusresz.buzz/api
- file: 1.94.149.77
- hash: 80
- file: 117.50.186.71
- hash: 8080
- file: 123.57.29.207
- hash: 8888
- file: 2.58.56.76
- hash: 6606
- file: 185.49.126.134
- hash: 4444
- file: 66.179.240.177
- hash: 80
- file: 185.196.9.195
- hash: 443
- file: 72.5.42.220
- hash: 443
- file: 87.121.86.200
- hash: 80
- file: 94.237.73.53
- hash: 8000
- domain: justyffyr.click
- url: https://justyffyr.click/api
- domain: undesirabkel.click
- url: https://undesirabkel.click/api
- url: https://successroadway.com/updater.php
- domain: successroadway.com
- file: 213.136.90.188
- hash: 4449
- file: 213.136.90.188
- hash: 7000
- file: 116.198.232.205
- hash: 8888
- file: 164.92.252.141
- hash: 80
- file: 154.216.20.216
- hash: 3778
- domain: fiveth5vt.top
- domain: fortth14vt.top
- domain: home.sixth6vt.top
- domain: home.tenth10vt.top
- domain: nineth9vt.top
- domain: oneth1vt.top
- domain: sixth6vt.top
- domain: tenth10vt.top
- domain: thirtth13vt.top
- domain: twentyth20vt.top
- domain: eighth8vt.top
- url: http://tubnzy3uvz.top/1.php
- file: 147.45.69.75
- hash: 4444
- file: 106.15.184.255
- hash: 7771
- file: 106.15.184.255
- hash: 50001
- file: 194.26.192.21
- hash: 80
- file: 23.26.146.61
- hash: 30120
- file: 79.110.49.56
- hash: 80
- file: 34.58.44.108
- hash: 80
- file: 94.156.248.31
- hash: 72
- url: http://durok.ru/javascriptpacketgeoserverwindowsflowerwordpresswpcentral.php
- file: 45.137.22.250
- hash: 55615
- url: http://cyberpotato.ru/externalhttpcpuauthpubliccdn.php
- url: http://152.32.170.129/12.exe
- url: http://152.32.170.129/121.exe
- file: 152.42.226.16
- hash: 60421
- file: 3.21.97.241
- hash: 80
- file: 111.229.239.68
- hash: 8443
- file: 141.98.197.31
- hash: 21760
- file: 39.100.90.182
- hash: 80
- file: 217.12.201.39
- hash: 26076
- file: 107.22.37.1
- hash: 443
- file: 113.44.78.183
- hash: 8888
- file: 106.75.47.251
- hash: 8888
- domain: bleedingheart1897.lol
- file: 52.232.121.162
- hash: 8000
- file: 149.50.108.116
- hash: 7332
- url: http://321723cm.renyash.ru/authdbbasetraffic.php
- file: 198.44.170.193
- hash: 18091
- file: 8.218.163.62
- hash: 6666
- file: 154.201.87.51
- hash: 11111
ThreatFox IOCs for 2024-12-26
Description
ThreatFox IOCs for 2024-12-26
AI-Powered Analysis
Technical Analysis
The provided information pertains to a malware-related threat identified as 'ThreatFox IOCs for 2024-12-26,' sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The threat is categorized under 'type:osint,' indicating that it primarily involves open-source intelligence data or is related to the collection and use of publicly available information for malicious purposes. There are no specific affected product versions or detailed technical indicators provided, and no known exploits in the wild have been reported as of the publication date (December 26, 2024). The threat level is rated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting moderate distribution but limited analysis depth. The absence of detailed CWEs, patch links, or specific attack vectors limits the granularity of technical insight. However, the presence of IOCs implies that this threat involves malware that may be detected or tracked through these indicators, potentially facilitating reconnaissance, data exfiltration, or further exploitation. The 'tlp:white' tag indicates that the information is freely shareable without restriction, which may aid in collaborative defense efforts. Overall, this threat appears to be a medium-severity malware campaign or intelligence set that is currently not actively exploited but could pose risks if leveraged in targeted attacks or combined with other vulnerabilities.
Potential Impact
For European organizations, the impact of this threat is currently assessed as medium due to the lack of active exploitation and detailed technical specifics. However, given that the threat involves malware with associated IOCs, there is potential for unauthorized data collection, espionage, or disruption if the malware is deployed in targeted campaigns. Organizations relying on open-source intelligence tools or those with exposure to publicly accessible systems may be at increased risk. The malware could facilitate initial access or lateral movement within networks, potentially compromising confidentiality and integrity of sensitive data. Availability impact appears limited at this stage due to no reported active exploits. The medium severity suggests that while immediate widespread damage is unlikely, the threat could be leveraged in more sophisticated attacks, especially against sectors with high-value data or critical infrastructure. European entities in finance, government, and technology sectors should be particularly vigilant, as they are common targets for malware campaigns leveraging OSINT techniques.
Mitigation Recommendations
1. Implement proactive IOC-based detection by integrating ThreatFox IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enable early identification of potential malware activity. 2. Conduct regular threat hunting exercises focused on OSINT-related malware indicators, emphasizing network traffic analysis and endpoint behavior anomalies. 3. Harden open-source intelligence gathering tools and restrict access to minimize exposure to malicious payloads or compromised data sources. 4. Enforce strict network segmentation and least privilege access controls to limit lateral movement in case of infection. 5. Maintain up-to-date threat intelligence sharing with trusted partners and participate in information sharing communities to stay informed about emerging variants or exploitation attempts. 6. Educate security teams on the nuances of OSINT-related threats and the importance of correlating IOCs with internal telemetry for comprehensive detection. 7. Regularly update and patch all systems, even though no specific patches are linked to this threat, to reduce the attack surface for potential exploitation combined with this malware.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 75fef325-85e7-4359-adbe-107ab3e012f2
- Original Timestamp
- 1735257788
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaincompany-telecom.gl.at.ply.gg | NjRAT botnet C2 domain (confidence level: 75%) | |
domaingoogle-br.duckdns.org | Mirai botnet C2 domain (confidence level: 75%) | |
domain165-22-250-3.cprapid.com | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainproblems-onion.gl.at.ply.gg | NjRAT botnet C2 domain (confidence level: 75%) | |
domainstock.letsgoautomotive.com | FAKEUPDATES botnet C2 domain (confidence level: 100%) | |
domaintreehoneyi.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainawake-weaves.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainfantassyzwi.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsordid-snaked.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwrathful-jammy.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainlev-tolstoi.com | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainnotebookgi.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsenc1.melody-wave.shop | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintriptrip.melody-wave.shop | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainpanelmaideus.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainlocketplyxx.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainklipsyzogey.shop | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainawake-weaves.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsordid-snaked.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwrathful-jammy.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainslimmybearz.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainjustyffyr.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainundesirabkel.click | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainsuccessroadway.com | Satacom botnet C2 domain (confidence level: 100%) | |
domainfiveth5vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainfortth14vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.sixth6vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainhome.tenth10vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainnineth9vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainoneth1vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainsixth6vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintenth10vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainthirtth13vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaintwentyth20vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domaineighth8vt.top | CryptBot botnet C2 domain (confidence level: 100%) | |
domainbleedingheart1897.lol | Bashlite botnet C2 domain (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file64.23.249.232 | Mirai botnet C2 server (confidence level: 75%) | |
file47.96.13.97 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.234.72.11 | Unknown malware botnet C2 server (confidence level: 100%) | |
file104.194.133.200 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file51.195.224.150 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file35.183.18.22 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file79.110.49.141 | Meduza Stealer botnet C2 server (confidence level: 100%) | |
file18.162.79.80 | MimiKatz botnet C2 server (confidence level: 100%) | |
file45.129.199.234 | BianLian botnet C2 server (confidence level: 100%) | |
file103.242.12.203 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file13.38.65.151 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file52.10.174.127 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file88.252.172.73 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file88.252.172.73 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file88.252.172.73 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file88.252.172.73 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file182.92.206.168 | Unknown malware botnet C2 server (confidence level: 100%) | |
file48.217.82.81 | Unknown malware botnet C2 server (confidence level: 100%) | |
file209.38.144.199 | Unknown malware botnet C2 server (confidence level: 100%) | |
file193.31.41.56 | Unknown malware botnet C2 server (confidence level: 100%) | |
file54.91.28.108 | Unknown malware botnet C2 server (confidence level: 100%) | |
file104.248.166.199 | Unknown malware botnet C2 server (confidence level: 100%) | |
file18.135.30.45 | Unknown malware botnet C2 server (confidence level: 100%) | |
file147.185.221.24 | NjRAT botnet C2 server (confidence level: 75%) | |
file59.110.47.61 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.94.63.197 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.147.124.179 | SectopRAT botnet C2 server (confidence level: 100%) | |
file185.147.124.179 | SectopRAT botnet C2 server (confidence level: 100%) | |
file3.123.228.130 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.159.141.158 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file154.64.244.69 | ERMAC botnet C2 server (confidence level: 100%) | |
file47.122.64.186 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.97.121.215 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file39.106.2.51 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file121.40.112.176 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file198.44.174.39 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file42.240.133.45 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file87.120.115.8 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file42.193.217.148 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file120.46.9.210 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.152.197.112 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.250.169.102 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.137.105.126 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file198.181.32.32 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.76.118.8 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file93.179.101.17 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file121.37.140.40 | ValleyRAT botnet C2 server (confidence level: 75%) | |
file1.94.149.77 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file117.50.186.71 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.57.29.207 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file2.58.56.76 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.49.126.134 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file66.179.240.177 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.196.9.195 | Havoc botnet C2 server (confidence level: 100%) | |
file72.5.42.220 | Havoc botnet C2 server (confidence level: 100%) | |
file87.121.86.200 | MooBot botnet C2 server (confidence level: 100%) | |
file94.237.73.53 | MimiKatz botnet C2 server (confidence level: 100%) | |
file213.136.90.188 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file213.136.90.188 | XWorm botnet C2 server (confidence level: 100%) | |
file116.198.232.205 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file164.92.252.141 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.216.20.216 | Mirai botnet C2 server (confidence level: 75%) | |
file147.45.69.75 | XenoRAT botnet C2 server (confidence level: 100%) | |
file106.15.184.255 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file106.15.184.255 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file194.26.192.21 | Hook botnet C2 server (confidence level: 100%) | |
file23.26.146.61 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file79.110.49.56 | Meduza Stealer botnet C2 server (confidence level: 100%) | |
file34.58.44.108 | MooBot botnet C2 server (confidence level: 100%) | |
file94.156.248.31 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.137.22.250 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file152.42.226.16 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file3.21.97.241 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file111.229.239.68 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file141.98.197.31 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file39.100.90.182 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file217.12.201.39 | Remcos botnet C2 server (confidence level: 100%) | |
file107.22.37.1 | Sliver botnet C2 server (confidence level: 100%) | |
file113.44.78.183 | Unknown malware botnet C2 server (confidence level: 100%) | |
file106.75.47.251 | Unknown malware botnet C2 server (confidence level: 100%) | |
file52.232.121.162 | MimiKatz botnet C2 server (confidence level: 100%) | |
file149.50.108.116 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file198.44.170.193 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file8.218.163.62 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file154.201.87.51 | ValleyRAT botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash1995 | Mirai botnet C2 server (confidence level: 75%) | |
hash60000 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash4439 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash4444 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash6846 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | Meduza Stealer botnet C2 server (confidence level: 100%) | |
hash9000 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash80 | BianLian botnet C2 server (confidence level: 100%) | |
hash8686 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8088 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash49127 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash888 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2003 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2004 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash20000 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash1337 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash4084 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash37334 | NjRAT botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9999 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash15647 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash15747 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash9042 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash37036 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | ERMAC botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7777 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8087 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8800 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash5555 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7777 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1234 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hashba4039b27f64a90d1038905f8b8804d0 | Unknown malware payload (confidence level: 50%) | |
hash0a6dd4eee2a0629d1da62f248a17ec80 | Unknown malware payload (confidence level: 50%) | |
hashd72c3508cbb968c478e0bd91e0f11424 | Unknown malware payload (confidence level: 50%) | |
hashbfc3dfd07dcf918bb87126fac4c62e7c | Unknown malware payload (confidence level: 50%) | |
hashdfb38db3eeee3287524d4d3aacae8c45 | Unknown malware payload (confidence level: 50%) | |
hash6666 | ValleyRAT botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash4444 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash8000 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash4449 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7000 | XWorm botnet C2 server (confidence level: 100%) | |
hash8888 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash3778 | Mirai botnet C2 server (confidence level: 75%) | |
hash4444 | XenoRAT botnet C2 server (confidence level: 100%) | |
hash7771 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash50001 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash30120 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Meduza Stealer botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash72 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash55615 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash60421 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash21760 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash26076 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8000 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash7332 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash18091 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash6666 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash11111 | ValleyRAT botnet C2 server (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://consirepdi.biz/login | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://abaftebeetl.biz/login | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://lopatasovka.ru/generatordlepublic.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://649521cm.renyash.ru/pipetojavascriptrequestpollcpubasetestprivatetemp.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://sordid-snaked.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://awake-weaves.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://wrathful-jammy.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://appliacnesot.buzz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://cashfuzysao.buzz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://hummskitnj.buzz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://inherineau.buzz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://mindhandru.buzz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://prisonyfork.buzz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://rebuildeso.buzz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://scentniej.buzz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://screwamusresz.buzz/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://justyffyr.click/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://undesirabkel.click/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://successroadway.com/updater.php | Satacom botnet C2 (confidence level: 100%) | |
urlhttp://tubnzy3uvz.top/1.php | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://durok.ru/javascriptpacketgeoserverwindowsflowerwordpresswpcentral.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://cyberpotato.ru/externalhttpcpuauthpubliccdn.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://152.32.170.129/12.exe | Cobalt Strike payload delivery URL (confidence level: 100%) | |
urlhttp://152.32.170.129/121.exe | Cobalt Strike payload delivery URL (confidence level: 100%) | |
urlhttp://321723cm.renyash.ru/authdbbasetraffic.php | DCRat botnet C2 (confidence level: 100%) |
Threat ID: 682c7dc4e8347ec82d2ea936
Added to database: 5/20/2025, 1:04:04 PM
Last enriched: 6/19/2025, 3:32:04 PM
Last updated: 7/28/2025, 3:55:28 AM
Views: 8
Related Threats
ThreatFox IOCs for 2025-08-11
MediumFrom ClickFix to Command: A Full PowerShell Attack Chain
MediumNorth Korean Group ScarCruft Expands From Spying to Ransomware Attacks
MediumMedusaLocker ransomware group is looking for pentesters
MediumThreatFox IOCs for 2025-08-10
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.