Olivia
Online
IronNet Threat Research
@IronNetTR
Transforming NDR through Collective Defense
Interested in a trial or demo of IronRadar? Reach out to [email protected]
Joined July 2018
37 Following
943 Followers
526 Posts
ย Pinned Tweet
We have taken in feedback from the community and simplified our model to be more flexible, tailored to fit organizations of all sizes, with enhanced support options at higher tiers. If you're interested in learning more, feel free to reach out! #threatintel #IronRadar
@cyberfeeddigest @500mk500 @Huntio @ViriBack @drb_ra @hasherezade @ReversingLabs @JAMESWT_MHT @Arkbird_SOLG @0xor0ne @ESETresearch @0x6rss @ShanHolo @abuse_ch @James_inthe_box @peterkruse @soaj1664ashar Seeing a /test/ directory on the .37 with a number of files related to Amadey and StealC. Also seeing the /well/ and files on the .100 & .103 in that subnet
194.87.232[.]36 - Medusa Malware hxxp://194.87.232[.]36/sora.sh https://t.co/hC66yP91BB
110.74.221[.]29 - #RunningRAT (110.74.221[.]29:8585/server.exe) https://t.co/XJbbVmgt8x
38.62.245[.]50 - XWorm hxxp://38.62.245[.]50/contract_review.exe https://t.co/brTguCZt8o
2/2
This morning, IronNet deployed an update to IronRadar based on our Open-Dir development. IronRadar customers now have actionable, proactive intelligence of open-dir's hosting malicious payloads.
#opendir #Malware #C2 #ThreatIntel #Cybersecurity
Examples in ๐งต
1/2
Who to follow
Shadow Chaser Group
@ShadowChasing1
Shadow Chaser Group is a sub-group of the GcowSec team which consists of college students who love it.Shadow Chaser Group focused on APT hunt and analysis
t3ft3lb
@t3ft3lb
Threat researcher, Malware analyst
All tweets represent my personal opinion
sicehice
@sicehice
Follow us for IP address OSINT, threat data aggregation, bulk IP lookups, free API access and more - https://t.co/FdwKUSr0a0
server.exe - 04e826b96233b7285ed00a6a964ae824086ed97483a98a051743494f27466005 - Donut Loader
pythonw.exe - 450745689468e04af26cb92261a6baa25e51966c8c3eb49d10c5f7dbde7e6476 - NESHTA
#opendir #malware #phishing #urlhaus #censys #anyrun #hatchingtriage #ThreatIntel #C2
4/4
While continuing to refine IronRadar's open-dir detection capabilities, we uncovered an initial access vector associated with a suspected coinminer/spyware phishing campaign.
Censys query: "((putty.exe) and labels=`open-dir`) and services.port=`3389`".
1/4
Network:
38.62.245[.]50
coinmarkettcap[.]com[.]ng
ASN:
#24SHELLS
Filenames & Hashes:
contract_review.exe - 85937170a95daf74d6dcb1c270b7d7387e1ce557cfca6efa4281644fe4c4592b - XWorm
putty.exe - 9f96931855f7a2b61a6ba1f0bb14bd3c088c0c2d3a51da28b517569b5c305a57 - NESHTA
3/4
36.6.140[.]140 - 2 VT
36.152.66[.]126 - 0 VT
117.57.95[.]3 - 0 VT
118.122.131[.]36 - 0 VT
120.234.199[.]52 - 0 VT
122.228.208[.]190 - 0 VT
125.65.88[.]195 - 0 VT
125.67.171[.]132 - 0 VT
171.221.12[.]241 - 0 VT
182.149.112[.]154 - 0 VT
3/3
While researching an Open-Dir, we identified a file (ludashisetup[.]exe). Although this appears to be low severity, tagged as PUP/Riskware, it was cohosted with numerous malicious/sus binaries, which we decided to look into.
#ThreatIntelligence #ThreatIntel #malware #C2
1/3
Using 'ludashisetup[.]exe' as a search filter, we identified 11 additional Open-Dirs that were unrated. All of these contained malicious and/or suspicious files.
Censys Query: (ludashisetup.exe) and labels='open-dir'
2/3
Domains:
postutleveringssted[.]com - 8 VT
banshee-stealer[.]com/login/ - 2 VT Banshee Stealer
refbofa39b[.]com - 1 VT
refdcu20n[.]com - 2 VT
topgamecheats[.]dev - 19 VT Amadey
wedominatelawsuits[.]top/panel/login - 14 VT Mint Stealer
#ThreatIntel #Malware #C2
3/3
In April, we reported on a TLS cert (cryptohopperai[.]org) associated with a network cluster hosting various malware, to include Amadey and other stealer malware.
A new active cluster has been identified using this TLS cert with numerous IPs and Domains, most unreported 1/3
ASN: Silent Connection LTD
IPs:
154.216.16[.]105 - 0 VT
154.216.16[.]183 - 0 VT
154.216.17[.]240 - 0 VT
154.216.18[.]134 - 0 VT
154.216.18[.]135 - 0 VT
154.216.19[.]213 - 0 VT
2/3
185.222.57[.]84 VT 0/93
185.222.58[.]247 VT 0/93
185.222.58[.]89 VT 0/93
45.137.22[.]73 VT 0/93
45.137.22[.]90 VT 0/93
#ThreatIntel #Malware #C2 2/2
Implementing new Remcos detections for #IronRadar, an RDP Hostname (WIN-SVPD50JM3QK) was identified which correlated to over 170 IPs within ASN 'RootLayer Web Services'.
The vast majority of these are rated malicious and are hosting various malware strains. 1/2
IronNet TR has identified an OpenDIR (154.213.186[.]220) hosting 7 BashLite/GAFGYT payloads.
Currently 1/93 on VT
Hosted Files:
pXdN91.armv4l
pXdN91.armv5l
pXdN91.armv6l
pXdN91.mips
pXdN91.mipsel
pXdN91.sh4
pXdN91.x68
#ThreatIntel #Malware #C2
179.14.10[.]24 - 0 VT AsyncRAT (Documento.vbs)
181.235.7[.]20 - 0 VT Remcos (sostener.vbs)
186.169.58[.]119 - 9 VT Remcos
188.126.90[.]17 - 0 VT NjRAT | LimeRAT
190.9.223[.]135 - 7 VT
191.93.113[.]10 - 20 VT AsyncRAT
#ThreatIntel #Malware #C2
IronNet TR has discovered a RemcosRAT indicator 89.117.23[.]25 found to be hosting multiple open-dir domains containing the file sostener.vbs (identified as Remcos).
Further investigation associates this file as part of a larger RAT campaign (12 IPs - Remcos, Async, DCRAT)
46.246.12[.]14 - 12 VT DCRAT
46.246.80[.]10 - 4 VT DCRAT | NJRAT
46.246.86[.]12 - 3 VT DCRAT
46.246.86[.]23 - 0 VT Remcos (wecqa2ra7nvcx.exe)
89.117.23[.]25 - 14 VT DCRAT | Remcos
178.73.192[.]11 - 11 VT DCRAT
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers