Technology cybersecurity Threat Intelligence Malware Analysis
Gi7w0rm
Gi7w0rm

@Gi7w0rm

7 Tweets 87 reads Mar 04, 2022
Twitter
The #ContiLeaks contained some messages consisting of IP:Username:pass combinations for #Conti infrastructure.
This allows us to connect certain #Trickbot activcity with the #Conti group:
1/x
The #ContiLeaks contained some messages consisting of IP:Username:pass combinations for #Conti infr...
The IP's in the image are the following:
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210
2/x
Using @MaltegoHQ together with OTX/Alienvault and
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:
3/x
Using @MaltegoHQ together with OTX/Alienvault and @virustotal integration, we are able to connect s...
Some interesting observations:
- OTX shows that many of these devices used for spreading Trickbot are running #RouterOS by #Mikrotik
- 5 IPs don't have #malware attribution. These are all based in India. Maybe attack infrastructure ?
4/x
Some other malware can be observed associated:
#Qbot / #Dridex
34fced20fd7d43fb4c8216e0bae2b55b4419f6d68fe4f5248eb4fa196d1d9e50
Unknown python #stealer:
09e5c1f5581c3433a16ec08ee85d32b27e2153aa60e30ca18f13a0e34ba9840a
5/x
AutoIt Script
82f393fe3a8e6eae3f63e46d3336def02a2d6436e427cdcce3701f296b4176e1
Something called #Strictor or #VBClone:
51cd90f402a646d2b19203f11c87bf63c88bab6a2f623cea1e09d5d8c8a7bcd4
unidentified Malware:
42958ca44222099be2d1bfde4ee20c8a24ac4bcc1c9e29bbfe7b0c5d52c91212
6/x
Would love to know if these have any relation to #Conti.
Maybe someone with better RE Skills can have a look ?
@malwrhunterteam @herrcore @aaqeel87 @TheDFIRReport @VK_Intel @executemalware

Categories

Technology cybersecurity Threat Intelligence Malware Analysis

Some tweets missing

Loading suggestions...