NDA0E @NDA0E - Twitter Profile

NDA0E @NDA0E

4 months ago

@BlinkzSec @500mk500 @banthisguy9349 @DaveLikesMalwre @RacWatchin8872 fake data.. XD

1

3

0

64

NDA0E @NDA0E

over 1 year ago

@illegalFawn @eranet_com @malwrhunterteam @JAMESWT_MHT @dubstard @YourAnonRiots @andsyn1 @UK_Daniel_Card @BeeHiveCyberSec @Malcoreio @douglasmun 45.134.26.105 45.134.26.175 45.134.26.182 45.134.26.184 45.134.26.187 45.134.26.190 45.134.26.192 45.134.26.195 45.134.26.197 45.134.26.220 45.134.26.221 45.134.26.225 aesecdip[.]icu inksecdip[.]icu insecdip[.]icu aeksecpld[.]cyou @Namecheap: kunimuni[.]pro hodvin[.]xyz

0

3

1

0

811

NDA0E @NDA0E

over 1 year ago

@BlinkzSec @zbraiterman @thejonmccoy @psiinon @kingthorin_rm @ricekot_ @banthisguy9349 @RacWatchin8872 @DaveLikesMalwre @Gi7w0rm @KibernaSecurity wishing you the same :)

0

3

0

72

NDA0E @NDA0E

over 1 year ago

@JAMESWT_MHT @malwrhunterteam Tracked here: https://t.co/Kn1I7uWovY

0

1

0

91

NDA0E @NDA0E

over 1 year ago

@banthisguy9349 CyberChef recipe: https://t.co/0NvRt7DSz9 MD5: bc1705db6ccc60784390e7ae66887148

0

3

0

131

NDA0E retweeted

abuse.ch

@abuse_ch

over 1 year ago

On the 1st of December, the notorious Socks5Systemz payload server hosted at AS57678 (Cat Technologies 🇭🇰) that is already active for several months started to serve a new version of Socks5Systemz ⤵️ 🌐 https://t.co/qqJQHUldo4 This is the first major change since 2023 in Socks5Systemz and includes: 🔑 New RC4 key used during C2 communication: hi_few5i6ab&7#d3 👋 Direct IP communication through HTTP(s) for botnet command and control instead of the usage of a DGA and a custom DNS server 🔙 Backconnect TCP port changed from 2023 to 2024 Current botnet C2 servers: 188.119.66.185:443 CHANGWAY 🇭🇰 45.155.249.212:443 RACKPLACE 🇩🇪 91.211.249.30:443 PODAON 🇱🇻 Malware sample:📄 https://t.co/mmYfg6tkPG Socks5Systemz IOCs: 🦊 https://t.co/UAuzQoqsEB

abuse_ch's tweet photo. On the 1st of December, the notorious Socks5Systemz payload server hosted at AS57678 (Cat Technologies 🇭🇰) that is already active for several months started to serve a new version of Socks5Systemz ⤵️

🌐 https://t.co/qqJQHUldo4

This is the first major change since 2023 in Socks5Systemz and includes:

🔑 New RC4 key used during C2 communication: hi_few5i6ab&7#d3
👋 Direct IP communication through HTTP(s) for botnet command and control instead of the usage of a DGA and a custom DNS server
🔙 Backconnect TCP port changed from 2023 to 2024

Current botnet C2 servers:
188.119.66.185:443 CHANGWAY 🇭🇰
45.155.249.212:443 RACKPLACE 🇩🇪
91.211.249.30:443 PODAON 🇱🇻

Malware sample:📄 https://t.co/mmYfg6tkPG
Socks5Systemz IOCs: 🦊 https://t.co/UAuzQoqsEB

1

34

12

11

7K

NDA0E retweeted

WatchingRac @RacWatchin8872

over 1 year ago

#AsyncRat #Malware 💣holder-apartments-face-matthew[.]trycloudflare[.]com/uline/Nr-2005-028763-2024-PDF[.]lnk💣 lnk->vbs->bat (checks if Avast exists) -> zip -> python scripts (injects shellcode) -> AsyncRat https://t.co/IooLkaxT9w https://t.co/Hdw4k30wvr

RacWatchin8872's tweet photo. #AsyncRat #Malware
💣holder-apartments-face-matthew[.]trycloudflare[.]com/uline/Nr-2005-028763-2024-PDF[.]lnk💣
lnk->vbs->bat (checks if Avast exists) -> zip -> python scripts (injects shellcode) -> AsyncRat
https://t.co/IooLkaxT9w
https://t.co/Hdw4k30wvr https://t.co/L875qgDAXu

4

58

18

21

7K

NDA0E @NDA0E

over 1 year ago

@1ZRR4H 90+ payloads hosted on 198.23.136.104: https://t.co/oAvwxDeP4s

0

2

0

112

NDA0E retweeted

ANY.RUN

@anyrun_app

over 1 year ago

🚨 Attackers use public open directories for hosting #malicious scripts disguised as .txt and .jpg files These are utilized in multi-stage #AsyncRAT #infections See technical breakdown of the tactics from @RacWatchin8872 👇 https://t.co/ti7ipTjTiN

1

58

29

21

7K

NDA0E @NDA0E

over 1 year ago

@ShanHolo thank you for the sample, i've written a YARA rule to detect it https://t.co/lZEsM0UPGj

1

0

64

NDA0E @NDA0E

over 1 year ago

@onecert_ir @Namecheap IRATA C2: hXXps://bot[.]avesta[.]uno/anonymous/Received.php @Hostinger

0

59

NDA0E @NDA0E

over 1 year ago

@onecert_ir @Namecheap Similar phishing: hXXps://45[.]147[.]230[.]41/ hXXp://sana-ir.wicaso6530[.]workers[.]dev/ Malware payloads: https://45[.]147[.]230[.]41/app.apk hXXps://github[.]com/iosyu01/okdash/raw/main/assets/eblagh.apk Samples: https://t.co/4QJZLrIyxf

2

1

0

133

NDA0E @NDA0E

over 1 year ago

@cyberfeeddigest #GuLoader

0

81

NDA0E @NDA0E

over 1 year ago

@illegalFawn @FMA_AT @FSMA_info @CNMV_IFI @CNMV_IP @CNMV_MEDIOS @CERT_Polska @CloudflareAbuse @AgidCert @YourAnonRiots @UK_Daniel_Card @malwrhunterteam @JAMESWT_MHT @dubstard @BeeHiveCyberSec 15.5k found on censys (this includes subdomains): https://t.co/niIZP9kQQk it's only 3k without subdomains: https://t.co/sz0qpNOFxs most of it is hosted at simplecarrier rather than Cloudflare.

0

1

0

88

NDA0E @NDA0E

over 1 year ago

@abuse_ch @JAMESWT_MHT @cocaman Sorry for causing the issue.

0

2

0

107

NDA0E @NDA0E

over 1 year ago

@chamindu_x @banthisguy9349 @cyb3rops it's #RobotDropper, matched on my YARA rule

1

0

110

NDA0E @NDA0E

over 1 year ago

@BlinkzSec @banthisguy9349 @tolisec @500mk500 @RacWatchin8872 @DaveLikesMalwre C2: 5.255.125.247:4089

0

1

0

130

NDA0E @NDA0E

over 1 year ago

@DaveLikesMalwre Also here: https://t.co/AK75mXhANg

1

0

103

NDA0E @NDA0E

over 1 year ago

@500mk500 threat type should be "payload_delivery"

1

0

61

NDA0E retweeted

NDA0E @NDA0E

over 1 year ago

@mdmck10 @malwrhunterteam @DNSPod @ICANN Big news! ICANN issued a Notice of Breach against @DNSPod in response to my complaint. PDF: https://t.co/KVwfrbC77n CC: @banthisguy9349

NDA0E's tweet photo. @mdmck10 @malwrhunterteam @DNSPod @ICANN Big news!
ICANN issued a Notice of Breach against @DNSPod in response to my complaint.

PDF: https://t.co/KVwfrbC77n

CC: @banthisguy9349 https://t.co/mIciq2dlaR

0

8

5

0

1K

NDA0E

@NDA0E

Last Seen Users on Sotwe

Trends for you

Most Popular Users