mirror of https://github.com/avast/ioc
e6d5ca8781 | ||
---|---|---|
.. | ||
README.md | ||
smb-passwords.txt |
IOC for Twizt
Twizt botnet is infiltrating SMB
on port 139 through the WNetAddConnection2W
API. Employing brute force tactics with hardcoded credentials, the attackers focus on compromising the $ADMIN
resource.
Notably, the Twizt botnet exhibits a dynamic strategy by generating targets randomly. The cracked credentials are promptly transmitted to C2. So, the result of this effort can be a successful exploit of vulnerable systems.
Table of Contents
Hardcoded Credentials
Usernames
Administrator
administrator
Admin
Administrator
admin
admin1
admin12
admin123
Passwords
Samples (SHA-256)
Twizt Bot
A306D86351AB6783E2806F88DFC663357FA1B4750A68347FCD73250AB3AFC90F
Network indicators
C&C server
http[:]//185.215.113[.]66
Uploader URL
hxxp://185.215.113[.]66/admin.php?s=<attacked_domain>|<password>|<user>