home.social

#opendir — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #opendir, aggregated by home.social.

  1. #malware #opendir #xloader (small one works, big one not so much) at:

    https://royfils\.com/encrypt/

    2cd9b8fb88e7cbbc5c049441fb61e0aea7be23dc7aa2c109c13abefe7a2ac943

    4733feaca04e871d4e0bb052f2437a2f46f10852602ea4f8b2f0170f4838dd87

  2. #malware #opendir #xloader (small one works, big one not so much) at:

    https://royfils\.com/encrypt/

    2cd9b8fb88e7cbbc5c049441fb61e0aea7be23dc7aa2c109c13abefe7a2ac943

    4733feaca04e871d4e0bb052f2437a2f46f10852602ea4f8b2f0170f4838dd87

  3. #malware #opendir #xloader (small one works, big one not so much) at:

    https://royfils\.com/encrypt/

    2cd9b8fb88e7cbbc5c049441fb61e0aea7be23dc7aa2c109c13abefe7a2ac943

    4733feaca04e871d4e0bb052f2437a2f46f10852602ea4f8b2f0170f4838dd87

  4. #malware #opendir #xloader (small one works, big one not so much) at:

    https://royfils\.com/encrypt/

    2cd9b8fb88e7cbbc5c049441fb61e0aea7be23dc7aa2c109c13abefe7a2ac943

    4733feaca04e871d4e0bb052f2437a2f46f10852602ea4f8b2f0170f4838dd87

  5. #malware #opendir #xloader (small one works, big one not so much) at:

    https://royfils\.com/encrypt/

    2cd9b8fb88e7cbbc5c049441fb61e0aea7be23dc7aa2c109c13abefe7a2ac943

    4733feaca04e871d4e0bb052f2437a2f46f10852602ea4f8b2f0170f4838dd87

  6. Back in the rest of the #opendir, uploads/ is used by app.py, I don't see where downloads_cache is used, but similar agent-[0-9]+ structure. The SANS PDF "All-books-in-oneSANSSEC670RedTeamingTools-DevelopingCustomToolsforWindows.pdf" may be the inspiration behind app.py/agent.go

  7. Interesting #OpenDir on #QuasarRat C2 server 185.208.159[.]161:8000 . The open web directory includes source code for a backdoor + misc development artifacts.

    platform.censys.io/hosts/185.2
    search.censys.io/hosts/185.208

    #malware #thread 🧵

  8. #malware #opendir ultimately #venomrat + #hvnc:

    https://carltonsfile\.com/mor1/ -> https://paste\.ee/d/c7nSA2yM/0

    c2: 109.248.144.175:4449

    4541fd01a19f1e484f24eff86f42ac36ea9b30686fd405ca0a50f3e517657a61

  9. #malware #opendir ultimately #venomrat + #hvnc:

    https://carltonsfile\.com/mor1/ -> https://paste\.ee/d/c7nSA2yM/0

    c2: 109.248.144.175:4449

    4541fd01a19f1e484f24eff86f42ac36ea9b30686fd405ca0a50f3e517657a61

  10. #malware #opendir ultimately #venomrat + #hvnc:

    https://carltonsfile\.com/mor1/ -> https://paste\.ee/d/c7nSA2yM/0

    c2: 109.248.144.175:4449

    4541fd01a19f1e484f24eff86f42ac36ea9b30686fd405ca0a50f3e517657a61

  11. #malware #opendir ultimately #venomrat + #hvnc:

    https://carltonsfile\.com/mor1/ -> https://paste\.ee/d/c7nSA2yM/0

    c2: 109.248.144.175:4449

    4541fd01a19f1e484f24eff86f42ac36ea9b30686fd405ca0a50f3e517657a61

  12. #malware #opendir ultimately #venomrat + #hvnc:

    https://carltonsfile\.com/mor1/ -> https://paste\.ee/d/c7nSA2yM/0

    c2: 109.248.144.175:4449

    4541fd01a19f1e484f24eff86f42ac36ea9b30686fd405ca0a50f3e517657a61

  13. If you're not blocking trycloudflare\.com at the perimeter, now's the time: #opendir 's:

    https://em-ash-announcements-alpha.trycloudflare\.com/1DSAHJKSA/ ->
    https://did-efficiency-than-lenses.trycloudflare\.com ->
    https://reached-theoretical-regular-impact\.trycloudflare.com

  14. #webshell #opendir #netsupport #rat at:

    https://appointedtimeagriculture\.com/wp-includes/blocks/post-content/

    GatewayAddress=95.179.158.213:443
    RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA

  15. #webshell #opendir #netsupport #rat at:

    https://appointedtimeagriculture\.com/wp-includes/blocks/post-content/

    GatewayAddress=95.179.158.213:443
    RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA

  16. 💡No #opendir? Why don't you check for .DS_Store files listing the structure ?

    Our scans found 11,856,006 IPs and DNS exposing the file.

    Link: leakix.net/search?scope=leak&q
    Ref: 0day.work/parsing-the-ds_store

  17. #opendir at:

    https:// superior-somalia-bs-leisure.trycloudflare\.com ->
    http:// jsnybsafva\.biz:8030

  18. #snakekelogger hta's at #opendir :

    http://192.3.176\.138/xampp/ozon
    drops
    http://192.3.176\.138/105/sahost.exe (also 106)

    d9863b7b710599bc2b308a0b78970da8c42ee5bc6d3dcda05c2de52a88125726

    exfils to: [email protected]

  19. Large #opendir at:

    http://57.180.253.244

    medium confidence msbuild.exe is #ghostrat

  20. Some fresh encoded #formbook in an #opendir at:

    http://dianomefs .cfd/Ajai/

  21. Two suspicious domain names possibly impersonating Anydesk anydeskwin[.]info and anydeskdownload[.]info

    Both the websites are serving an #opendir at the moment and pointing at AS13335

    #threatintel #anydesk

  22. 📥 Interesting #opendir
    45.84.1[.]161:8081
    Hosted at AS44477 Stark Industries Solutions Ltd. 🗑️

    Obf. #Sliver Linux #Implant and a Powershell script which tries to bypass AMSI and runs #Sharphound

    From the choice of hosting provider we infer malicious intent rather than #RedTeam

    Artifacts (#IoC)

    ff32a69075d9eb59ea5d25207d3ee775 rtn_default
    2fe7fb5ff2679de37673997b96958d08 rtn_info.ps1

    Samples available @abuse_ch Bazaar:
    bazaar.abuse.ch/sample/763bd22

    bazaar.abuse.ch/sample/f5ab886

    #infosec #cybersecurity

  23. 📥 Interesting #opendir
    45.84.1[.]161:8081
    Hosted at AS44477 Stark Industries Solutions Ltd. 🗑️

    Obf. #Sliver Linux #Implant and a Powershell script which tries to bypass AMSI and runs #Sharphound

    From the choice of hosting provider we infer malicious intent rather than #RedTeam

    Artifacts (#IoC)

    ff32a69075d9eb59ea5d25207d3ee775 rtn_default
    2fe7fb5ff2679de37673997b96958d08 rtn_info.ps1

    Samples available @abuse_ch Bazaar:
    bazaar.abuse.ch/sample/763bd22

    bazaar.abuse.ch/sample/f5ab886

    #infosec #cybersecurity

  24. 📥 Interesting #opendir
    45.84.1[.]161:8081
    Hosted at AS44477 Stark Industries Solutions Ltd. 🗑️

    Obf. #Sliver Linux #Implant and a Powershell script which tries to bypass AMSI and runs #Sharphound

    From the choice of hosting provider we infer malicious intent rather than #RedTeam

    Artifacts (#IoC)

    ff32a69075d9eb59ea5d25207d3ee775 rtn_default
    2fe7fb5ff2679de37673997b96958d08 rtn_info.ps1

    Samples available @abuse_ch Bazaar:
    bazaar.abuse.ch/sample/763bd22

    bazaar.abuse.ch/sample/f5ab886

    #infosec #cybersecurity