diff --git a/Twizt/README.md b/Twizt/README.md new file mode 100644 index 0000000..99ec108 --- /dev/null +++ b/Twizt/README.md @@ -0,0 +1,46 @@ +# IOC for Twizt +Twizt botnet is infiltrating `SMB` on port 139 through the `WNetAddConnection2W` API. Employing brute force tactics with hardcoded credentials, the attackers focus on compromising the `$ADMIN` resource. + +Notably, the Twizt botnet exhibits a dynamic strategy by generating targets randomly. +The cracked credentials are promptly transmitted to C2. So, the result of this effort can be a successful exploit of vulnerable systems. + + +### Table of Contents +* [Hardcoded Credentials](#hardcoded-credentials) +* [Samples (SHA-256)](#samples-sha-256) +* [Network indicators](#network-indicators) + + +## Hardcoded Credentials +#### Usernames +``` +Administrator +administrator +Admin +Administrator +admin +admin1 +admin12 +admin123 +``` + +#### Passwords +[passwords](smb-passwords.txt) + + +## Samples (SHA-256) +#### Twizt Bot +``` +A306D86351AB6783E2806F88DFC663357FA1B4750A68347FCD73250AB3AFC90F +``` + + +## Network indicators +#### C&C server +``` +http[:]//185.215.113[.]66 +``` +#### Uploader URL +``` +hxxp://185.215.113[.]66/admin.php?s=|| +``` diff --git a/Twizt/smb-passwords.txt b/Twizt/smb-passwords.txt new file mode 100644 index 0000000..a46fa7e --- /dev/null +++ b/Twizt/smb-passwords.txt @@ -0,0 +1,182 @@ +Admin +Administrator +admin +admin1 +admin12 +admin123 +adminadmin +administrator +0000 +0000000 +00000000 +0987654321 +11111 +111111 +1111111 +11111111 +123123 +12321 +123321 +12345 +123456 +1234567 +12345678 +123456789 +1234567890 +1234abcd +1234qwer +123abc +123asd +123qwe +1q2w3e +22222 +222222 +2222222 +22222222 +33333 +333333 +3333333 +33333333 +44444 +444444 +4444444 +44444444 +54321 +55555 +555555 +5555555 +55555555 +654321 +66666 +666666 +6666666 +66666666 +7654321 +77777 +777777 +7777777 +77777777 +87654321 +88888 +888888 +8888888 +88888888 +987654321 +99999 +999999 +9999999 +99999999 +a1b2c3 +aaaaa +abc123 +academia +access +account +anything +asddsa +asdfgh +asdsa +asdzxc +backup +boss123 +business +campus +changeme +cluster +codename +codeword +coffee +computer +controller +cookie +customer +database +default +desktop +domain +example +exchange +explorer +files +foobar +foofoo +forever +freedom +games +home123 +ihavenopass +Internet +internet +intranet +killer +letitbe +letmein +Login +login +lotus +love123 +manager +market +money +monitor +mypass +mypassword +mypc123 +nimda +nobody +nopass +nopassword +nothing +office +oracle +owner +pass1 +pass12 +pass123 +passwd +Password +password +password1 +password12 +password123 +private +public +pw123 +q1w2e3 +qazwsx +qazwsxedc +qqqqq +qwe123 +qweasd +qweasdzxc +qweewq +qwerty +qwewq +root123 +rootroot +sample +secret +secure +security +server +shadow +share +student +super +superuser +supervisor +system +temp123 +temporary +temptemp +test123 +testtest +unknown +windows +work123 +xxxxx +zxccxz +zxcvb +zxcvbn +zxcxz +zzzzz