We have taken in feedback from the community and simplified our model to be more flexible, tailored to fit organizations of all sizes, with enhanced support options at higher tiers. If you're interested in learning more, feel free to reach out! #threatintel #IronRadar

194.87.232[.]36 - Medusa Malware hxxp://194.87.232[.]36/sora.sh 110.74.221[.]29 - #RunningRAT (110.74.221[.]29:8585/server.exe) 38.62.245[.]50 - XWorm hxxp://38.62.245[.]50/contract_review.exe 2/2.

This morning, IronNet deployed an update to IronRadar based on our Open-Dir development. IronRadar customers now have actionable, proactive intelligence of open-dir's hosting malicious payloads. #opendir #Malware #C2 #ThreatIntel #Cybersecurity. Examples in 🧵. 1/2.

server.exe - 04e826b96233b7285ed00a6a964ae824086ed97483a98a051743494f27466005 - Donut Loader. pythonw.exe - 450745689468e04af26cb92261a6baa25e51966c8c3eb49d10c5f7dbde7e6476 - NESHTA . #opendir #malware #phishing #urlhaus #censys #anyrun #hatchingtriage #ThreatIntel #C2.4/4.

Network:.38.62.245[.]50.coinmarkettcap[.]com[.]ng. ASN: .#24SHELLS. Filenames & Hashes:.contract_review.exe - 85937170a95daf74d6dcb1c270b7d7387e1ce557cfca6efa4281644fe4c4592b - XWorm. putty.exe - 9f96931855f7a2b61a6ba1f0bb14bd3c088c0c2d3a51da28b517569b5c305a57 - NESHTA. 3/4.

Malicious open-dirs: .hxxp://38.62.245[.]50.hxxp://38.62.245[.]50:5000.RDP hostname: CN=WIN-CLJ1B0GQ6JP. Malware: #XWorm, #NESHTA, and #DonutLoader .Phishing docs: file.pdf, filee.pdf .Phishing Companies: Silver Cliff Construction and Energy Bullet LLC. 2/4.

While continuing to refine IronRadar's open-dir detection capabilities, we uncovered an initial access vector associated with a suspected coinminer/spyware phishing campaign. Censys query: "((putty.exe) and labels=`open-dir`) and services.port=`3389`". 1/4.

36.6.140[.]140 - 2 VT.36.152.66[.]126 - 0 VT.117.57.95[.]3 - 0 VT.118.122.131[.]36 - 0 VT.120.234.199[.]52 - 0 VT.122.228.208[.]190 - 0 VT.125.65.88[.]195 - 0 VT.125.67.171[.]132 - 0 VT.171.221.12[.]241 - 0 VT.182.149.112[.]154 - 0 VT. 3/3.

Using 'ludashisetup[.]exe' as a search filter, we identified 11 additional Open-Dirs that were unrated. All of these contained malicious and/or suspicious files. Censys Query: (ludashisetup.exe) and labels='open-dir'. 2/3.

While researching an Open-Dir, we identified a file (ludashisetup[.]exe). Although this appears to be low severity, tagged as PUP/Riskware, it was cohosted with numerous malicious/sus binaries, which we decided to look into. #ThreatIntelligence #ThreatIntel #malware #C2. 1/3.

Domains:.postutleveringssted[.]com - 8 VT.banshee-stealer[.]com/login/ - 2 VT Banshee Stealer.refbofa39b[.]com - 1 VT.refdcu20n[.]com - 2 VT.topgamecheats[.]dev - 19 VT Amadey.wedominatelawsuits[.]top/panel/login - 14 VT Mint Stealer. #ThreatIntel #Malware #C2 .3/3.

ASN: Silent Connection LTD.IPs:.154.216.16[.]105 - 0 VT.154.216.16[.]183 - 0 VT.154.216.17[.]240 - 0 VT.154.216.18[.]134 - 0 VT.154.216.18[.]135 - 0 VT.154.216.19[.]213 - 0 VT.2/3.

In April, we reported on a TLS cert (cryptohopperai[.]org) associated with a network cluster hosting various malware, to include Amadey and other stealer malware. A new active cluster has been identified using this TLS cert with numerous IPs and Domains, most unreported 1/3.

185.222.57[.]84 VT 0/93.185.222.58[.]247 VT 0/93.185.222.58[.]89 VT 0/93.45.137.22[.]73 VT 0/93.45.137.22[.]90 VT 0/93. #ThreatIntel #Malware #C2 2/2.

Implementing new Remcos detections for #IronRadar, an RDP Hostname (WIN-SVPD50JM3QK) was identified which correlated to over 170 IPs within ASN 'RootLayer Web Services'. The vast majority of these are rated malicious and are hosting various malware strains. 1/2.

IronNet TR has identified an OpenDIR (154.213.186[.]220) hosting 7 BashLite/GAFGYT payloads. Currently 1/93 on VT. Hosted Files:.pXdN91.armv4l.pXdN91.armv5l.pXdN91.armv6l.pXdN91.mips.pXdN91.mipsel.pXdN91.sh4.pXdN91.x68. #ThreatIntel #Malware #C2.

179.14.10[.]24 - 0 VT AsyncRAT (Documento.vbs) .181.235.7[.]20 - 0 VT Remcos (sostener.vbs).186.169.58[.]119 - 9 VT Remcos .188.126.90[.]17 - 0 VT NjRAT | LimeRAT .190.9.223[.]135 - 7 VT .191.93.113[.]10 - 20 VT AsyncRAT. #ThreatIntel #Malware #C2.

46.246.12[.]14 - 12 VT DCRAT .46.246.80[.]10 - 4 VT DCRAT | NJRAT .46.246.86[.]12 - 3 VT DCRAT .46.246.86[.]23 - 0 VT Remcos (wecqa2ra7nvcx.exe) .89.117.23[.]25 - 14 VT DCRAT | Remcos .178.73.192[.]11 - 11 VT DCRAT.

IronNet TR has discovered a RemcosRAT indicator 89.117.23[.]25 found to be hosting multiple open-dir domains containing the file sostener.vbs (identified as Remcos). Further investigation associates this file as part of a larger RAT campaign (12 IPs - Remcos, Async, DCRAT).