ioc[.]one - OSINT Cyber Threat Intelligence Database

Necro Python bot adds new exploits and Tezos mining to its bag of tricks

Tags

cmtmf-attack-pattern:	Exploit Public-Facing Application Obfuscated Files Or Information Process Injection
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Botnet - T1583.005 Botnet - T1584.005 Control Panel - T1218.002 Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Dns Server - T1583.002 Dns Server - T1584.002 Domains - T1583.001 Domains - T1584.001 Exploit Public-Facing Application - T1377 Exploits - T1587.004 Exploits - T1588.005 Input Capture - T1417 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Non-Standard Port - T1509 Non-Standard Port - T1571 Powershell - T1059.001 Process Injection - T1631 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Remote Access Software - T1663 Server - T1583.004 Server - T1584.004 Software - T1592.002 Ssh - T1021.004 Vulnerabilities - T1588.006 Connection Proxy - T1090 Exploit Public-Facing Application - T1190 Input Capture - T1056 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Injection - T1055 Remote Access Tools - T1219 Rootkit - T1014 Scripting - T1064 Exploit Public-Facing Application Rootkit Scripting

Show in Graph

Common Information

Type	Value
UUID	af1a69ee-f987-4956-aff7-57c3e20e0dc0
Fingerprint	34b33b1b1467be81
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 3, 2021, 8 a.m.
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Vulnerability Information
Title	Necro Python bot adds new exploits and Tezos mining to its bag of tricks
Detected Hints/Tags/Attributes	138/3/73

Source URLs

	Redirection	Url
Details	Source	https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html

URL Provider

Details	Provider	Source level domain
Details	talosintelligence.com	blog.talosintelligence.com

Attributes

Details	Type	#Events	Value
Details	CVE	16	cve-2021-3129
Details	CVE	68	cve-2020-14882
Details	CVE	126	cve-2017-0144
Details	CVE	21	cve-2017-0147
Details	Domain	138	setup.py
Details	Domain	12	bootstrap.sh
Details	Domain	11	supportxmr.com
Details	Domain	2	cloud-miner.de
Details	Domain	2	ublock-referer.dev
Details	Domain	2	bp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd.onion.ws
Details	Domain	2	can6dodp.servepics.com
Details	Domain	904	snort.org
Details	Domain	2	o4hlcckwlbcy7qhhohqswpqla6wx7c5xmsvk3k4rohknng4nofvgz5id.onion
Details	Domain	2	p2l44qilgm433bad5gbszb4mluxuejwkjaaon767m5dzuuc7mjqhcead.onion
Details	Domain	2	q2p4b6pprex5mvzxm2xdqgo4q3hy2p4if2ljq7fcoavxvab7mpk232id.onion
Details	Domain	2	3og7wipgh3ruavi7gd6y3uzhcurazasln55hb6hboiavyk6pugkcdpqd.onion
Details	Domain	2	rx.unmineable.com
Details	Domain	2	ngiwge486ln9daoo.hopto.org
Details	Domain	31	pool.supportxmr.com
Details	File	127	setup.py
Details	File	1	nrdh.php
Details	File	1	6829.exe
Details	File	533	ntdll.dll
Details	File	3	campaign.js
Details	File	1	crytp.exe
Details	File	23	x86.dll
Details	File	38	x64.dll
Details	File	1	bigransom.exe
Details	File	1	x64i.exe
Details	File	2	py.exe
Details	sha256	1	8797ce228b32d890773d5dbac71cefa505b788cc8b25929be9832db422d8239b
Details	sha256	1	bc2126c03f2242013f58b43eb91351fba15d300385252423c52a5b18ece6a54f
Details	sha256	1	97ab2092f6b5b1986536a5ba45e487f19c97f52544ff494d43bb1baf31248924
Details	sha256	1	c3fe8058ab46bd21d22f920960caae1f3b22a7aeba8d5315fb62461f4e989a7d
Details	sha256	1	8130717a3d4053e2924a0393086511a41fc7777c045b45bb4f569bcbe69af8be
Details	sha256	1	d65e874b247dda9845661734d9e74b921f700983fd46c3626a3197f08a3006bf
Details	sha256	1	19c25ce4302050aec3c921dd5cac546e8200a7e951d570b52fe344c421105ea8
Details	sha256	1	606258f10519be325c39900504e50d79e551c7a9399efb9b22a7323da3f6aa7a
Details	sha256	1	2b77b93b8e1b8ef8650957d15aaf336cf70a7df184da060f86b9892c54eefb65
Details	sha256	1	eb8b08e13aba16bd5f0d7c330493be82941210d3a6aa4856858df770f77b747d
Details	sha256	1	80659cc37cb7fb831866f7d7b0043edc6918a99590bd9122815e18abb68daa35
Details	sha256	1	19269ce9a0a44aca9d6b2deed7de71cf576ac611787c2af46819ca2aff44ce2a
Details	sha256	1	a8bb386fa3a6791e72f5ec6f1dc26359b00d0ee8cb0ce866f452b7fff6dbb319
Details	sha256	1	d58c3694832812bc168834e2b8b3bfcb92f85a9d4523140ad010497baabc2c3d
Details	sha256	1	e884bd4015d1b97227074bcf6cb9e8134b7afcfb6a3db758ca4654088403430a
Details	sha256	1	d6403b9c069f08939fc2f9669dc7d5165ed66a1cae07788c3b27fffb30e890a0
Details	sha256	1	9d6171cf28b5a3572587140ef483739a185895ce2b5af3246a78c2c39beed7b8
Details	IPv4	59	1.0.0.1
Details	IPv4	198	1.1.1.1
Details	IPv4	3	193.239.147.224
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	80	T1064
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	115	T1571
Details	MITRE ATT&CK Techniques	141	T1219
Details	MITRE ATT&CK Techniques	152	T1056
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	Url	1	https://cloud-miner.de/tkefrep/tkefrep.js?tkefrep=bs?nosaj=faster.xmr2
Details	Url	1	https://ublock-referer.dev/.
Details	Url	1	http://193.239.147.224/crytp.exe
Details	Url	1	http://can6dodp.servepics.com/setup
Details	Url	1	http://can6dodp.servepics.com/py.exe
Details	Url	1	http://can6dodp.servepics.com/xmrig
Details	Url	1	http://can6dodp.servepics.com/xmrig1
Details	Url	1	http://ngiwge486ln9daoo.hopto.org/setup.py
Details	Url	1	http://ngiwge486ln9daoo.hopto.org/py.exe
Details	Url	1	http://bp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd.onion.ws/setup.py
Details	Url	1	http://bp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd.onion.ws/py.exe
Details	Url	1	http://can6dodp.servepics.com/setup.py
Details	Windows Registry Key	2	HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System
Details	Windows Registry Key	2	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System