IronNet Threat Research

We have taken in feedback from the community and simplified our model to be more flexible, tailored to fit organizations of all sizes, with enhanced support options at higher tiers. If you're interested in learning more, feel free to reach out! #threatintel #IronRadar

@cyberfeeddigest @500mk500 @Huntio @ViriBack @drb_ra @hasherezade @ReversingLabs @JAMESWT_MHT @Arkbird_SOLG @0xor0ne @ESETresearch @0x6rss @ShanHolo @abuse_ch @James_inthe_box @peterkruse @soaj1664ashar Seeing a /test/ directory on the .37 with a number of files related to Amadey and StealC. Also seeing the /well/ and files on the .100 & .103 in that subnet

⚠️ #CnC for #REDLINE #Stealer found as #Opendir: hxxp://185[.]215[.]113[.]37/well/ cc:@500mk500, @HuntIO, @ViriBack, @drb_ra, @hasherezade,@ReversingLabs, @JAMESWT_MHT,@Arkbird_SOLG,@0xor0ne,@ESETresearch,@0x6rss , @ShanHolo,@abuse_ch,@James_inthe_box,@peterkruse,@soaj1664ashar #CyberSecurity #Malware #ThreatIntel #CTI

194.87.232[.]36 - Medusa Malware hxxp://194.87.232[.]36/sora.sh virustotal.com/gui/file/c4575… 110.74.221[.]29 - #RunningRAT (110.74.221[.]29:8585/server.exe) virustotal.com/gui/file/540a9… 38.62.245[.]50 - XWorm hxxp://38.62.245[.]50/contract_review.exe virustotal.com/gui/file/85937… 2/2

This morning, IronNet deployed an update to IronRadar based on our Open-Dir development. IronRadar customers now have actionable, proactive intelligence of open-dir's hosting malicious payloads. #opendir #Malware #C2 #ThreatIntel #Cybersecurity Examples in 🧵 1/2

server.exe - 04e826b96233b7285ed00a6a964ae824086ed97483a98a051743494f27466005 - Donut Loader pythonw.exe - 450745689468e04af26cb92261a6baa25e51966c8c3eb49d10c5f7dbde7e6476 - NESHTA #opendir #malware #phishing #urlhaus #censys #anyrun #hatchingtriage #ThreatIntel #C2 4/4

Network: 38.62.245[.]50 coinmarkettcap[.]com[.]ng ASN: #24SHELLS Filenames & Hashes: contract_review.exe - 85937170a95daf74d6dcb1c270b7d7387e1ce557cfca6efa4281644fe4c4592b - XWorm putty.exe - 9f96931855f7a2b61a6ba1f0bb14bd3c088c0c2d3a51da28b517569b5c305a57 - NESHTA 3/4

While continuing to refine IronRadar's open-dir detection capabilities, we uncovered an initial access vector associated with a suspected coinminer/spyware phishing campaign. Censys query: "((putty.exe) and labels=`open-dir`) and services.port=`3389`". 1/4

36.6.140[.]140 - 2 VT 36.152.66[.]126 - 0 VT 117.57.95[.]3 - 0 VT 118.122.131[.]36 - 0 VT 120.234.199[.]52 - 0 VT 122.228.208[.]190 - 0 VT 125.65.88[.]195 - 0 VT 125.67.171[.]132 - 0 VT 171.221.12[.]241 - 0 VT 182.149.112[.]154 - 0 VT 3/3

Using 'ludashisetup[.]exe' as a search filter, we identified 11 additional Open-Dirs that were unrated. All of these contained malicious and/or suspicious files. Censys Query: (ludashisetup.exe) and labels='open-dir' 2/3

While researching an Open-Dir, we identified a file (ludashisetup[.]exe). Although this appears to be low severity, tagged as PUP/Riskware, it was cohosted with numerous malicious/sus binaries, which we decided to look into. #ThreatIntelligence #ThreatIntel #malware #C2 1/3

Domains: postutleveringssted[.]com - 8 VT banshee-stealer[.]com/login/ - 2 VT Banshee Stealer refbofa39b[.]com - 1 VT refdcu20n[.]com - 2 VT topgamecheats[.]dev - 19 VT Amadey wedominatelawsuits[.]top/panel/login - 14 VT Mint Stealer #ThreatIntel #Malware #C2 3/3

ASN: Silent Connection LTD IPs: 154.216.16[.]105 - 0 VT 154.216.16[.]183 - 0 VT 154.216.17[.]240 - 0 VT 154.216.18[.]134 - 0 VT 154.216.18[.]135 - 0 VT 154.216.19[.]213 - 0 VT 2/3

In April, we reported on a TLS cert (cryptohopperai[.]org) associated with a network cluster hosting various malware, to include Amadey and other stealer malware. A new active cluster has been identified using this TLS cert with numerous IPs and Domains, most unreported 1/3

185.222.57[.]84 VT 0/93 185.222.58[.]247 VT 0/93 185.222.58[.]89 VT 0/93 45.137.22[.]73 VT 0/93 45.137.22[.]90 VT 0/93 #ThreatIntel #Malware #C2 2/2

Implementing new Remcos detections for #IronRadar, an RDP Hostname (WIN-SVPD50JM3QK) was identified which correlated to over 170 IPs within ASN 'RootLayer Web Services'. The vast majority of these are rated malicious and are hosting various malware strains. 1/2

IronNet TR has identified an OpenDIR (154.213.186[.]220) hosting 7 BashLite/GAFGYT payloads. Currently 1/93 on VT Hosted Files: pXdN91.armv4l pXdN91.armv5l pXdN91.armv6l pXdN91.mips pXdN91.mipsel pXdN91.sh4 pXdN91.x68 #ThreatIntel #Malware #C2

179.14.10[.]24 - 0 VT AsyncRAT (Documento.vbs) 181.235.7[.]20 - 0 VT Remcos (sostener.vbs) 186.169.58[.]119 - 9 VT Remcos 188.126.90[.]17 - 0 VT NjRAT | LimeRAT 190.9.223[.]135 - 7 VT 191.93.113[.]10 - 20 VT AsyncRAT #ThreatIntel #Malware #C2

46.246.12[.]14 - 12 VT DCRAT 46.246.80[.]10 - 4 VT DCRAT | NJRAT 46.246.86[.]12 - 3 VT DCRAT 46.246.86[.]23 - 0 VT Remcos (wecqa2ra7nvcx.exe) 89.117.23[.]25 - 14 VT DCRAT | Remcos 178.73.192[.]11 - 11 VT DCRAT

IronNet TR has discovered a RemcosRAT indicator 89.117.23[.]25 found to be hosting multiple open-dir domains containing the file sostener.vbs (identified as Remcos). Further investigation associates this file as part of a larger RAT campaign (12 IPs - Remcos, Async, DCRAT)