ioc[.]one - OSINT Cyber Threat Intelligence Database

Mirai goes Stealth - TLS & IoT Malware

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Botnet - T1583.005 Botnet - T1584.005 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Exploits - T1587.004 Exploits - T1588.005 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Tool - T1588.002

Show in Graph

Common Information

Type	Value
UUID	aea09ee3-476c-43ac-8b25-6cd4dd86d233
Fingerprint	150c8bbf41e31212
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 30, 2021, midnight
Added to db	Aug. 31, 2024, 10 a.m.
Last updated	Sept. 4, 2024, 3:57 a.m.
Headline	Mirai goes Stealth - TLS & IoT Malware
Title	Mirai goes Stealth - TLS & IoT Malware
Detected Hints/Tags/Attributes	66/2/37

Source URLs

	Redirection	Url
Details	Source	https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware

URL Provider

Details	Provider	Source level domain
Details	lacework.com	www.lacework.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	326	✔	Lacework Blog	https://www.lacework.com/lacework_blog.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	9	cve-2021-22204
Details	Domain	1	5fly.io
Details	Domain	1	news.forsola.com
Details	Domain	1	news.sola0818.com
Details	Domain	1	seed7.sh
Details	Domain	1	news.infinitetrial.com
Details	Domain	1	destinyexp.com
Details	File	1	news.inf
Details	sha256	1	6f51002f72ff74c77cf868fe6aa2b246df4ca4679a290f883bec781b77ce3363
Details	sha256	1	3feeec571461ab4f10b4174f979a0175c85b1ea2f66be02026838208a91fa5fe
Details	sha256	1	4a47e3c3189bf58b86d614738065f4a466d52062386dabd318fcaa44a082307d
Details	sha256	1	043289fe28f0dde2d07c40a6cb07e91c9c7ddb65d3c629bc64d197d46f7e96ab
Details	sha256	1	88ca2663e5c786f691d8a61038159f147832cddf92bdfd75fa42385ea9667738
Details	sha256	4	0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92
Details	sha256	1	cd908747cd853fccc8ebe45ea984f4d976b0a8c1747e2ca27535d07ae0af9365
Details	sha256	1	be858a2ba86bed9788fd77e8619882ff542e43a436aa9b5205a3297b66417ce9
Details	sha256	1	a11c412fd9872c36646234aebd612314d945625fbd68c02051f891c1e333a1d6
Details	sha256	1	1e4678f579b4cd2affb37646ba900baf952a56dac775d5713507f72362e4207f
Details	sha256	1	19857eb041aeb01f164c5da55d23ead714a66e88112ba730c6df4d1d9a6d43c5
Details	sha256	1	74248325a8cf725a220f3176816eb5306ca3e0a8e574f3a1890bd0f24f27758c
Details	sha256	1	58062e86f9c69f6b4578ac331648c94a7d169b1270f81334d91fc4cbc507de1f
Details	sha256	1	927468579cd9dd437e8d1858bc04216fba86e7db6ad453514bad109372d2082d
Details	sha256	1	1b7953ce1acc4141233d04ce941e4f643847fa1197246a25872afdae61271316
Details	sha256	1	70ead0d62148bb1823387cd3c14fd8b5bb6a357b2e967cef5635a674841a52a5
Details	IPv4	1	4.28.0.0
Details	IPv4	1	2.159.128.0
Details	IPv4	1	4.31.224.0
Details	IPv4	1	4.31.192.0
Details	IPv4	1	4.31.160.0
Details	IPv4	1	4.27.128.0
Details	IPv4	1	4.27.160.0
Details	IPv4	1	45.78.65.155
Details	Url	1	http://destinyexp.com/200
Details	Url	1	http://45.78.65.155/306
Details	Url	1	http://45.78.65.155:8011
Details	Yara rule	1	rule mbedtls_iot { meta: description = "finds iot binaries using mbedtls" author = "Chris Hall @LaceworkLabs" date = "2021-07-11" strings: $s1 = "id-at-postalAddress" ascii fullword $s2 = "Usage does not match the keyUsage extension" ascii fullword $s3 = "id-at-postalCode" ascii fullword $s4 = "%s%-18s: %d bits" ascii fullword $s5 = "id-ce-keyUsage" ascii fullword $s6 = "npxXoudifFeEgGaACScs" ascii fullword condition: uint16(0) == 0x457f and all of them }
Details	Yara rule	1	rule mbedtls_mirai { meta: description = "finds Mirai binaries using mbedtls" author = "Chris Hall @LaceworkLabs" date = "2021-07-11" strings: $s1 = "id-at-postalAddress" ascii fullword $s2 = "Usage does not match the keyUsage extension" ascii fullword $s3 = "id-at-postalCode" ascii fullword $s4 = "id-ce-extKeyUsage" ascii fullword $s5 = "%s%-18s: %d bits" ascii fullword $s6 = "id-ce-keyUsage" ascii fullword $s7 = "npxXoudifFeEgGaACScs" $s8 = "Mozilla" xor(1-255) condition: uint16(0) == 0x457f and all of them }