mirror of
https://github.com/avast/ioc
synced 2024-06-16 11:58:39 +00:00
commit
b515ef8c40
46
Twizt/README.md
Normal file
46
Twizt/README.md
Normal file
@ -0,0 +1,46 @@
|
||||
# IOC for Twizt
|
||||
Twizt botnet is infiltrating `SMB` on port 139 through the `WNetAddConnection2W` API. Employing brute force tactics with hardcoded credentials, the attackers focus on compromising the `$ADMIN` resource.
|
||||
|
||||
Notably, the Twizt botnet exhibits a dynamic strategy by generating targets randomly.
|
||||
The cracked credentials are promptly transmitted to C2. So, the result of this effort can be a successful exploit of vulnerable systems.
|
||||
|
||||
|
||||
### Table of Contents
|
||||
* [Hardcoded Credentials](#hardcoded-credentials)
|
||||
* [Samples (SHA-256)](#samples-sha-256)
|
||||
* [Network indicators](#network-indicators)
|
||||
|
||||
|
||||
## Hardcoded Credentials
|
||||
#### Usernames
|
||||
```
|
||||
Administrator
|
||||
administrator
|
||||
Admin
|
||||
Administrator
|
||||
admin
|
||||
admin1
|
||||
admin12
|
||||
admin123
|
||||
```
|
||||
|
||||
#### Passwords
|
||||
[passwords](smb-passwords.txt)
|
||||
|
||||
|
||||
## Samples (SHA-256)
|
||||
#### Twizt Bot
|
||||
```
|
||||
A306D86351AB6783E2806F88DFC663357FA1B4750A68347FCD73250AB3AFC90F
|
||||
```
|
||||
|
||||
|
||||
## Network indicators
|
||||
#### C&C server
|
||||
```
|
||||
http[:]//185.215.113[.]66
|
||||
```
|
||||
#### Uploader URL
|
||||
```
|
||||
hxxp://185.215.113[.]66/admin.php?s=<attacked_domain>|<password>|<user>
|
||||
```
|
182
Twizt/smb-passwords.txt
Normal file
182
Twizt/smb-passwords.txt
Normal file
@ -0,0 +1,182 @@
|
||||
Admin
|
||||
Administrator
|
||||
admin
|
||||
admin1
|
||||
admin12
|
||||
admin123
|
||||
adminadmin
|
||||
administrator
|
||||
0000
|
||||
0000000
|
||||
00000000
|
||||
0987654321
|
||||
11111
|
||||
111111
|
||||
1111111
|
||||
11111111
|
||||
123123
|
||||
12321
|
||||
123321
|
||||
12345
|
||||
123456
|
||||
1234567
|
||||
12345678
|
||||
123456789
|
||||
1234567890
|
||||
1234abcd
|
||||
1234qwer
|
||||
123abc
|
||||
123asd
|
||||
123qwe
|
||||
1q2w3e
|
||||
22222
|
||||
222222
|
||||
2222222
|
||||
22222222
|
||||
33333
|
||||
333333
|
||||
3333333
|
||||
33333333
|
||||
44444
|
||||
444444
|
||||
4444444
|
||||
44444444
|
||||
54321
|
||||
55555
|
||||
555555
|
||||
5555555
|
||||
55555555
|
||||
654321
|
||||
66666
|
||||
666666
|
||||
6666666
|
||||
66666666
|
||||
7654321
|
||||
77777
|
||||
777777
|
||||
7777777
|
||||
77777777
|
||||
87654321
|
||||
88888
|
||||
888888
|
||||
8888888
|
||||
88888888
|
||||
987654321
|
||||
99999
|
||||
999999
|
||||
9999999
|
||||
99999999
|
||||
a1b2c3
|
||||
aaaaa
|
||||
abc123
|
||||
academia
|
||||
access
|
||||
account
|
||||
anything
|
||||
asddsa
|
||||
asdfgh
|
||||
asdsa
|
||||
asdzxc
|
||||
backup
|
||||
boss123
|
||||
business
|
||||
campus
|
||||
changeme
|
||||
cluster
|
||||
codename
|
||||
codeword
|
||||
coffee
|
||||
computer
|
||||
controller
|
||||
cookie
|
||||
customer
|
||||
database
|
||||
default
|
||||
desktop
|
||||
domain
|
||||
example
|
||||
exchange
|
||||
explorer
|
||||
files
|
||||
foobar
|
||||
foofoo
|
||||
forever
|
||||
freedom
|
||||
games
|
||||
home123
|
||||
ihavenopass
|
||||
Internet
|
||||
internet
|
||||
intranet
|
||||
killer
|
||||
letitbe
|
||||
letmein
|
||||
Login
|
||||
login
|
||||
lotus
|
||||
love123
|
||||
manager
|
||||
market
|
||||
money
|
||||
monitor
|
||||
mypass
|
||||
mypassword
|
||||
mypc123
|
||||
nimda
|
||||
nobody
|
||||
nopass
|
||||
nopassword
|
||||
nothing
|
||||
office
|
||||
oracle
|
||||
owner
|
||||
pass1
|
||||
pass12
|
||||
pass123
|
||||
passwd
|
||||
Password
|
||||
password
|
||||
password1
|
||||
password12
|
||||
password123
|
||||
private
|
||||
public
|
||||
pw123
|
||||
q1w2e3
|
||||
qazwsx
|
||||
qazwsxedc
|
||||
qqqqq
|
||||
qwe123
|
||||
qweasd
|
||||
qweasdzxc
|
||||
qweewq
|
||||
qwerty
|
||||
qwewq
|
||||
root123
|
||||
rootroot
|
||||
sample
|
||||
secret
|
||||
secure
|
||||
security
|
||||
server
|
||||
shadow
|
||||
share
|
||||
student
|
||||
super
|
||||
superuser
|
||||
supervisor
|
||||
system
|
||||
temp123
|
||||
temporary
|
||||
temptemp
|
||||
test123
|
||||
testtest
|
||||
unknown
|
||||
windows
|
||||
work123
|
||||
xxxxx
|
||||
zxccxz
|
||||
zxcvb
|
||||
zxcvbn
|
||||
zxcxz
|
||||
zzzzz
|
Loading…
Reference in New Issue
Block a user