IronNetTR Profile Banner
IronNet Threat Research Profile
IronNet Threat Research

@IronNetTR

Followers
951
Following
72
Media
313
Statuses
526

Transforming NDR through Collective Defense Interested in a trial or demo of IronRadar? Reach out to [email protected]

Joined July 2018
Don't wanna be here? Send us removal request.
@IronNetTR
IronNet Threat Research
11 months
We have taken in feedback from the community and simplified our model to be more flexible, tailored to fit organizations of all sizes, with enhanced support options at higher tiers. If you're interested in learning more, feel free to reach out! #threatintel #IronRadar
Tweet media one
0
1
0
@IronNetTR
IronNet Threat Research
10 months
194.87.232[.]36 - Medusa Malware hxxp://194.87.232[.]36/sora.sh 110.74.221[.]29 - #RunningRAT (110.74.221[.]29:8585/server.exe) 38.62.245[.]50 - XWorm hxxp://38.62.245[.]50/contract_review.exe 2/2.
0
0
0
@IronNetTR
IronNet Threat Research
10 months
This morning, IronNet deployed an update to IronRadar based on our Open-Dir development. IronRadar customers now have actionable, proactive intelligence of open-dir's hosting malicious payloads. #opendir #Malware #C2 #ThreatIntel #Cybersecurity. Examples in 🧵. 1/2.
1
1
0
@IronNetTR
IronNet Threat Research
10 months
server.exe - 04e826b96233b7285ed00a6a964ae824086ed97483a98a051743494f27466005 - Donut Loader. pythonw.exe - 450745689468e04af26cb92261a6baa25e51966c8c3eb49d10c5f7dbde7e6476 - NESHTA . #opendir #malware #phishing #urlhaus #censys #anyrun #hatchingtriage #ThreatIntel #C2.4/4.
0
0
0
@IronNetTR
IronNet Threat Research
10 months
Network:.38.62.245[.]50.coinmarkettcap[.]com[.]ng. ASN: .#24SHELLS. Filenames & Hashes:.contract_review.exe - 85937170a95daf74d6dcb1c270b7d7387e1ce557cfca6efa4281644fe4c4592b - XWorm. putty.exe - 9f96931855f7a2b61a6ba1f0bb14bd3c088c0c2d3a51da28b517569b5c305a57 - NESHTA. 3/4.
1
0
0
@IronNetTR
IronNet Threat Research
10 months
Malicious open-dirs: .hxxp://38.62.245[.]50.hxxp://38.62.245[.]50:5000.RDP hostname: CN=WIN-CLJ1B0GQ6JP. Malware: #XWorm, #NESHTA, and #DonutLoader .Phishing docs: file.pdf, filee.pdf .Phishing Companies: Silver Cliff Construction and Energy Bullet LLC. 2/4.
1
0
0
@IronNetTR
IronNet Threat Research
10 months
While continuing to refine IronRadar's open-dir detection capabilities, we uncovered an initial access vector associated with a suspected coinminer/spyware phishing campaign. Censys query: "((putty.exe) and labels=`open-dir`) and services.port=`3389`". 1/4.
1
0
1
@IronNetTR
IronNet Threat Research
11 months
36.6.140[.]140 - 2 VT.36.152.66[.]126 - 0 VT.117.57.95[.]3 - 0 VT.118.122.131[.]36 - 0 VT.120.234.199[.]52 - 0 VT.122.228.208[.]190 - 0 VT.125.65.88[.]195 - 0 VT.125.67.171[.]132 - 0 VT.171.221.12[.]241 - 0 VT.182.149.112[.]154 - 0 VT. 3/3.
0
0
0
@IronNetTR
IronNet Threat Research
11 months
Using 'ludashisetup[.]exe' as a search filter, we identified 11 additional Open-Dirs that were unrated. All of these contained malicious and/or suspicious files. Censys Query: (ludashisetup.exe) and labels='open-dir'. 2/3.
1
0
0
@IronNetTR
IronNet Threat Research
11 months
While researching an Open-Dir, we identified a file (ludashisetup[.]exe). Although this appears to be low severity, tagged as PUP/Riskware, it was cohosted with numerous malicious/sus binaries, which we decided to look into. #ThreatIntelligence #ThreatIntel #malware #C2. 1/3.
1
2
2
@IronNetTR
IronNet Threat Research
11 months
Domains:.postutleveringssted[.]com - 8 VT.banshee-stealer[.]com/login/ - 2 VT Banshee Stealer.refbofa39b[.]com - 1 VT.refdcu20n[.]com - 2 VT.topgamecheats[.]dev - 19 VT Amadey.wedominatelawsuits[.]top/panel/login - 14 VT Mint Stealer. #ThreatIntel #Malware #C2 .3/3.
0
0
0
@IronNetTR
IronNet Threat Research
11 months
ASN: Silent Connection LTD.IPs:.154.216.16[.]105 - 0 VT.154.216.16[.]183 - 0 VT.154.216.17[.]240 - 0 VT.154.216.18[.]134 - 0 VT.154.216.18[.]135 - 0 VT.154.216.19[.]213 - 0 VT.2/3.
1
0
0
@IronNetTR
IronNet Threat Research
11 months
In April, we reported on a TLS cert (cryptohopperai[.]org) associated with a network cluster hosting various malware, to include Amadey and other stealer malware. A new active cluster has been identified using this TLS cert with numerous IPs and Domains, most unreported 1/3.
1
0
1
@IronNetTR
IronNet Threat Research
11 months
185.222.57[.]84 VT 0/93.185.222.58[.]247 VT 0/93.185.222.58[.]89 VT 0/93.45.137.22[.]73 VT 0/93.45.137.22[.]90 VT 0/93. #ThreatIntel #Malware #C2 2/2.
0
0
0
@IronNetTR
IronNet Threat Research
11 months
Implementing new Remcos detections for #IronRadar, an RDP Hostname (WIN-SVPD50JM3QK) was identified which correlated to over 170 IPs within ASN 'RootLayer Web Services'. The vast majority of these are rated malicious and are hosting various malware strains. 1/2.
1
2
1
@IronNetTR
IronNet Threat Research
11 months
Tweet media one
0
0
0
@IronNetTR
IronNet Threat Research
11 months
IronNet TR has identified an OpenDIR (154.213.186[.]220) hosting 7 BashLite/GAFGYT payloads. Currently 1/93 on VT. Hosted Files:.pXdN91.armv4l.pXdN91.armv5l.pXdN91.armv6l.pXdN91.mips.pXdN91.mipsel.pXdN91.sh4.pXdN91.x68. #ThreatIntel #Malware #C2.
1
1
4
@IronNetTR
IronNet Threat Research
11 months
179.14.10[.]24 - 0 VT AsyncRAT (Documento.vbs) .181.235.7[.]20 - 0 VT Remcos (sostener.vbs).186.169.58[.]119 - 9 VT Remcos .188.126.90[.]17 - 0 VT NjRAT | LimeRAT .190.9.223[.]135 - 7 VT .191.93.113[.]10 - 20 VT AsyncRAT. #ThreatIntel #Malware #C2.
0
0
2
@IronNetTR
IronNet Threat Research
11 months
46.246.12[.]14 - 12 VT DCRAT .46.246.80[.]10 - 4 VT DCRAT | NJRAT .46.246.86[.]12 - 3 VT DCRAT .46.246.86[.]23 - 0 VT Remcos (wecqa2ra7nvcx.exe) .89.117.23[.]25 - 14 VT DCRAT | Remcos .178.73.192[.]11 - 11 VT DCRAT.
1
0
0
@IronNetTR
IronNet Threat Research
11 months
IronNet TR has discovered a RemcosRAT indicator 89.117.23[.]25 found to be hosting multiple open-dir domains containing the file sostener.vbs (identified as Remcos). Further investigation associates this file as part of a larger RAT campaign (12 IPs - Remcos, Async, DCRAT).
1
2
2