Mirrors
/
ioc-collection
mirror of https://github.com/avast/ioc
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Twizt IOCs

This commit is contained in:
Martin Chlumecký 2024-01-12 13:43:46 +01:00
parent 1bc25b4994
commit e6d5ca8781
2 changed files with 228 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
Twizt/README.md Normal file
View File

@ -0,0 +1,46 @@
# IOC for Twizt
Twizt botnet is infiltrating `SMB` on port 139 through the `WNetAddConnection2W` API. Employing brute force tactics with hardcoded credentials, the attackers focus on compromising the `$ADMIN` resource.
Notably, the Twizt botnet exhibits a dynamic strategy by generating targets randomly.
The cracked credentials are promptly transmitted to C2. So, the result of this effort can be a successful exploit of vulnerable systems.
### Table of Contents
* [Hardcoded Credentials](#hardcoded-credentials)
* [Samples (SHA-256)](#samples-sha-256)
* [Network indicators](#network-indicators)
## Hardcoded Credentials
#### Usernames
```
Administrator
administrator
Admin
Administrator
admin
admin1
admin12
admin123
```
#### Passwords
[passwords](smb-passwords.txt)
## Samples (SHA-256)
#### Twizt Bot
```
A306D86351AB6783E2806F88DFC663357FA1B4750A68347FCD73250AB3AFC90F
```
## Network indicators
#### C&C server
```
http[:]//185.215.113[.]66
```
#### Uploader URL
```
hxxp://185.215.113[.]66/admin.php?s=<attacked_domain>|<password>|<user>
```

182
Twizt/smb-passwords.txt Normal file
View File

@ -0,0 +1,182 @@
Admin
Administrator
admin
admin1
admin12
admin123
adminadmin
administrator
0000
0000000
00000000
0987654321
11111
111111
1111111
11111111
123123
12321
123321
12345
123456
1234567
12345678
123456789
1234567890
1234abcd
1234qwer
123abc
123asd
123qwe
1q2w3e
22222
222222
2222222
22222222
33333
333333
3333333
33333333
44444
444444
4444444
44444444
54321
55555
555555
5555555
55555555
654321
66666
666666
6666666
66666666
7654321
77777
777777
7777777
77777777
87654321
88888
888888
8888888
88888888
987654321
99999
999999
9999999
99999999
a1b2c3
aaaaa
abc123
academia
access
account
anything
asddsa
asdfgh
asdsa
asdzxc
backup
boss123
business
campus
changeme
cluster
codename
codeword
coffee
computer
controller
cookie
customer
database
default
desktop
domain
example
exchange
explorer
files
foobar
foofoo
forever
freedom
games
home123
ihavenopass
Internet
internet
intranet
killer
letitbe
letmein
Login
login
lotus
love123
manager
market
money
monitor
mypass
mypassword
mypc123
nimda
nobody
nopass
nopassword
nothing
office
oracle
owner
pass1
pass12
pass123
passwd
Password
password
password1
password12
password123
private
public
pw123
q1w2e3
qazwsx
qazwsxedc
qqqqq
qwe123
qweasd
qweasdzxc
qweewq
qwerty
qwewq
root123
rootroot
sample
secret
secure
security
server
shadow
share
student
super
superuser
supervisor
system
temp123
temporary
temptemp
test123
testtest
unknown
windows
work123
xxxxx
zxccxz
zxcvb
zxcvbn
zxcxz
zzzzz