mirror of
https://github.com/avast/ioc
synced 2024-06-16 11:58:39 +00:00
47 lines
1.0 KiB
Markdown
47 lines
1.0 KiB
Markdown
|
# IOC for Twizt
|
||
|
|
Twizt botnet is infiltrating `SMB` on port 139 through the `WNetAddConnection2W` API. Employing brute force tactics with hardcoded credentials, the attackers focus on compromising the `$ADMIN` resource.
|
||
|
|
|
||
|
|
Notably, the Twizt botnet exhibits a dynamic strategy by generating targets randomly.
|
||
|
|
The cracked credentials are promptly transmitted to C2. So, the result of this effort can be a successful exploit of vulnerable systems.
|
||
|
|
|
||
|
|
|
||
|
|
### Table of Contents
|
||
|
|
* [Hardcoded Credentials](#hardcoded-credentials)
|
||
|
|
* [Samples (SHA-256)](#samples-sha-256)
|
||
|
|
* [Network indicators](#network-indicators)
|
||
|
|
|
||
|
|
|
||
|
|
## Hardcoded Credentials
|
||
|
|
#### Usernames
|
||
|
|
```
|
||
|
|
Administrator
|
||
|
|
administrator
|
||
|
|
Admin
|
||
|
|
Administrator
|
||
|
|
admin
|
||
|
|
admin1
|
||
|
|
admin12
|
||
|
|
admin123
|
||
|
|
```
|
||
|
|
|
||
|
|
#### Passwords
|
||
|
|
[passwords](smb-passwords.txt)
|
||
|
|
|
||
|
|
|
||
|
|
## Samples (SHA-256)
|
||
|
|
#### Twizt Bot
|
||
|
|
```
|
||
|
|
A306D86351AB6783E2806F88DFC663357FA1B4750A68347FCD73250AB3AFC90F
|
||
|
|
```
|
||
|
|
|
||
|
|
|
||
|
|
## Network indicators
|
||
|
|
#### C&C server
|
||
|
|
```
|
||
|
|
http[:]//185.215.113[.]66
|
||
|
|
```
|
||
|
|
#### Uploader URL
|
||
|
|
```
|
||
|
|
hxxp://185.215.113[.]66/admin.php?s=<attacked_domain>|<password>|<user>
|
||
|
|
```
|