
IronNet Threat Research
@IronNetTR
Followers
951
Following
72
Media
313
Statuses
526
Transforming NDR through Collective Defense Interested in a trial or demo of IronRadar? Reach out to [email protected]
Joined July 2018
We have taken in feedback from the community and simplified our model to be more flexible, tailored to fit organizations of all sizes, with enhanced support options at higher tiers. If you're interested in learning more, feel free to reach out! #threatintel #IronRadar
0
1
0
194.87.232[.]36 - Medusa Malware hxxp://194.87.232[.]36/sora.sh 110.74.221[.]29 - #RunningRAT (110.74.221[.]29:8585/server.exe) 38.62.245[.]50 - XWorm hxxp://38.62.245[.]50/contract_review.exe 2/2.
0
0
0
This morning, IronNet deployed an update to IronRadar based on our Open-Dir development. IronRadar customers now have actionable, proactive intelligence of open-dir's hosting malicious payloads. #opendir #Malware #C2 #ThreatIntel #Cybersecurity. Examples in 🧵. 1/2.
1
1
0
server.exe - 04e826b96233b7285ed00a6a964ae824086ed97483a98a051743494f27466005 - Donut Loader. pythonw.exe - 450745689468e04af26cb92261a6baa25e51966c8c3eb49d10c5f7dbde7e6476 - NESHTA . #opendir #malware #phishing #urlhaus #censys #anyrun #hatchingtriage #ThreatIntel #C2.4/4.
0
0
0
Network:.38.62.245[.]50.coinmarkettcap[.]com[.]ng. ASN: .#24SHELLS. Filenames & Hashes:.contract_review.exe - 85937170a95daf74d6dcb1c270b7d7387e1ce557cfca6efa4281644fe4c4592b - XWorm. putty.exe - 9f96931855f7a2b61a6ba1f0bb14bd3c088c0c2d3a51da28b517569b5c305a57 - NESHTA. 3/4.
1
0
0
Malicious open-dirs: .hxxp://38.62.245[.]50.hxxp://38.62.245[.]50:5000.RDP hostname: CN=WIN-CLJ1B0GQ6JP. Malware: #XWorm, #NESHTA, and #DonutLoader .Phishing docs: file.pdf, filee.pdf .Phishing Companies: Silver Cliff Construction and Energy Bullet LLC. 2/4.
1
0
0
While researching an Open-Dir, we identified a file (ludashisetup[.]exe). Although this appears to be low severity, tagged as PUP/Riskware, it was cohosted with numerous malicious/sus binaries, which we decided to look into. #ThreatIntelligence #ThreatIntel #malware #C2. 1/3.
1
2
2
Domains:.postutleveringssted[.]com - 8 VT.banshee-stealer[.]com/login/ - 2 VT Banshee Stealer.refbofa39b[.]com - 1 VT.refdcu20n[.]com - 2 VT.topgamecheats[.]dev - 19 VT Amadey.wedominatelawsuits[.]top/panel/login - 14 VT Mint Stealer. #ThreatIntel #Malware #C2 .3/3.
0
0
0
185.222.57[.]84 VT 0/93.185.222.58[.]247 VT 0/93.185.222.58[.]89 VT 0/93.45.137.22[.]73 VT 0/93.45.137.22[.]90 VT 0/93. #ThreatIntel #Malware #C2 2/2.
0
0
0
Implementing new Remcos detections for #IronRadar, an RDP Hostname (WIN-SVPD50JM3QK) was identified which correlated to over 170 IPs within ASN 'RootLayer Web Services'. The vast majority of these are rated malicious and are hosting various malware strains. 1/2.
1
2
1
IronNet TR has identified an OpenDIR (154.213.186[.]220) hosting 7 BashLite/GAFGYT payloads. Currently 1/93 on VT. Hosted Files:.pXdN91.armv4l.pXdN91.armv5l.pXdN91.armv6l.pXdN91.mips.pXdN91.mipsel.pXdN91.sh4.pXdN91.x68. #ThreatIntel #Malware #C2.
1
1
4
179.14.10[.]24 - 0 VT AsyncRAT (Documento.vbs) .181.235.7[.]20 - 0 VT Remcos (sostener.vbs).186.169.58[.]119 - 9 VT Remcos .188.126.90[.]17 - 0 VT NjRAT | LimeRAT .190.9.223[.]135 - 7 VT .191.93.113[.]10 - 20 VT AsyncRAT. #ThreatIntel #Malware #C2.
0
0
2