Joined July 2018
- Tweets 526
- Following 37
- Followers 942
- Likes 72
313 Photos and videos
Pinned Tweet
23 Aug 2024
We have taken in feedback from the community and simplified our model to be more flexible, tailored to fit organizations of all sizes, with enhanced support options at higher tiers. If you're interested in learning more, feel free to reach out! #threatintel #IronRadar
1
1,089
5 Sep 2024
This morning, IronNet deployed an update to IronRadar based on our Open-Dir development. IronRadar customers now have actionable, proactive intelligence of open-dir's hosting malicious payloads.
#opendir #Malware #C2 #ThreatIntel #Cybersecurity
Examples in 🧵
1/2
1
1,185
5 Sep 2024
194.87.232[.]36 - Medusa Malware hxxp://194.87.232[.]36/sora.sh virustotal.com/gui/file/c457…
110.74.221[.]29 - #RunningRAT (110.74.221[.]29:8585/server.exe) virustotal.com/gui/file/540a…
38.62.245[.]50 - XWorm hxxp://38.62.245[.]50/contract_review.exe virustotal.com/gui/file/8593…
2/2
364
4 Sep 2024
While continuing to refine IronRadar's open-dir detection capabilities, we uncovered an initial access vector associated with a suspected coinminer/spyware phishing campaign.
Censys query: "((putty.exe) and labels=`open-dir`) and services.port=`3389`".
1/4
1
1
471
4 Sep 2024
Network:
38.62.245[.]50
coinmarkettcap[.]com[.]ng
ASN:
#24SHELLS
Filenames & Hashes:
contract_review.exe - 85937170a95daf74d6dcb1c270b7d7387e1ce557cfca6efa4281644fe4c4592b - XWorm
putty.exe - 9f96931855f7a2b61a6ba1f0bb14bd3c088c0c2d3a51da28b517569b5c305a57 - NESHTA
3/4
1
364
4 Sep 2024
server.exe - 04e826b96233b7285ed00a6a964ae824086ed97483a98a051743494f27466005 - Donut Loader
pythonw.exe - 450745689468e04af26cb92261a6baa25e51966c8c3eb49d10c5f7dbde7e6476 - NESHTA
#opendir #malware #phishing #urlhaus #censys #anyrun #hatchingtriage #ThreatIntel #C2
4/4
340
28 Aug 2024
While researching an Open-Dir, we identified a file (ludashisetup[.]exe). Although this appears to be low severity, tagged as PUP/Riskware, it was cohosted with numerous malicious/sus binaries, which we decided to look into.
#ThreatIntelligence #ThreatIntel #malware #C2
1/3
1
1
2
351
28 Aug 2024
Using 'ludashisetup[.]exe' as a search filter, we identified 11 additional Open-Dirs that were unrated. All of these contained malicious and/or suspicious files.
Censys Query: (ludashisetup.exe) and labels='open-dir'
2/3
1
184
28 Aug 2024
36.6.140[.]140 - 2 VT
36.152.66[.]126 - 0 VT
117.57.95[.]3 - 0 VT
118.122.131[.]36 - 0 VT
120.234.199[.]52 - 0 VT
122.228.208[.]190 - 0 VT
125.65.88[.]195 - 0 VT
125.67.171[.]132 - 0 VT
171.221.12[.]241 - 0 VT
182.149.112[.]154 - 0 VT
3/3
194
20 Aug 2024
In April, we reported on a TLS cert (cryptohopperai[.]org) associated with a network cluster hosting various malware, to include Amadey and other stealer malware.
A new active cluster has been identified using this TLS cert with numerous IPs and Domains, most unreported 1/3
1
1
195
20 Aug 2024
ASN: Silent Connection LTD
IPs:
154.216.16[.]105 - 0 VT
154.216.16[.]183 - 0 VT
154.216.17[.]240 - 0 VT
154.216.18[.]134 - 0 VT
154.216.18[.]135 - 0 VT
154.216.19[.]213 - 0 VT
2/3
1
134
20 Aug 2024
Domains:
postutleveringssted[.]com - 8 VT
banshee-stealer[.]com/login/ - 2 VT Banshee Stealer
refbofa39b[.]com - 1 VT
refdcu20n[.]com - 2 VT
topgamecheats[.]dev - 19 VT Amadey
wedominatelawsuits[.]top/panel/login - 14 VT Mint Stealer
#ThreatIntel #Malware #C2
3/3
177
19 Aug 2024
Implementing new Remcos detections for #IronRadar, an RDP Hostname (WIN-SVPD50JM3QK) was identified which correlated to over 170 IPs within ASN 'RootLayer Web Services'.
The vast majority of these are rated malicious and are hosting various malware strains. 1/2
1
2
1
1,043
19 Aug 2024
185.222.57[.]84 VT 0/93
185.222.58[.]247 VT 0/93
185.222.58[.]89 VT 0/93
45.137.22[.]73 VT 0/93
45.137.22[.]90 VT 0/93
#ThreatIntel #Malware #C2 2/2
212
16 Aug 2024
IronNet TR has identified an OpenDIR (154.213.186[.]220) hosting 7 BashLite/GAFGYT payloads.
Currently 1/93 on VT
Hosted Files:
pXdN91.armv4l
pXdN91.armv5l
pXdN91.armv6l
pXdN91.mips
pXdN91.mipsel
pXdN91.sh4
pXdN91.x68
#ThreatIntel #Malware #C2
1
1
4
398
14 Aug 2024
IronNet TR has discovered a RemcosRAT indicator 89.117.23[.]25 found to be hosting multiple open-dir domains containing the file sostener.vbs (identified as Remcos).
Further investigation associates this file as part of a larger RAT campaign (12 IPs - Remcos, Async, DCRAT)
1
1
2
551
14 Aug 2024
46.246.12[.]14 - 12 VT DCRAT
46.246.80[.]10 - 4 VT DCRAT | NJRAT
46.246.86[.]12 - 3 VT DCRAT
46.246.86[.]23 - 0 VT Remcos (wecqa2ra7nvcx.exe)
89.117.23[.]25 - 14 VT DCRAT | Remcos
178.73.192[.]11 - 11 VT DCRAT
1
130
14 Aug 2024
179.14.10[.]24 - 0 VT AsyncRAT (Documento.vbs)
181.235.7[.]20 - 0 VT Remcos (sostener.vbs)
186.169.58[.]119 - 9 VT Remcos
188.126.90[.]17 - 0 VT NjRAT | LimeRAT
190.9.223[.]135 - 7 VT
191.93.113[.]10 - 20 VT AsyncRAT
#ThreatIntel #Malware #C2
1
199