Type |
IOC |
Details |
Script |
475ee7d043402c17e2541b33cf1732d2 |
Path: /root/init.sh |
Script |
5f6108045f44053dc77e121048ffda71 |
Path: /root/run.sh |
Script |
1f769890e62f7129df85c5dc4b22d3c0 |
Path: /root/GoldRush.sh |
File |
8ffdba0c9708f153237aabb7d386d083 |
Path: /root/spr_out/64[watchdogd] |
File |
b8568c474fc342621f748a5e03f71667 |
Path: /root/spr_out/64bioset |
File |
5f5599171bfb778a7c7483ffdec18408 |
Path: /root/spr_out/64tshd |
File |
23812035114dbd56599694ed9b1712d2 |
Path: /root/spr_out/armbioset |
File |
cfa007dc2d02da9a8873c761aa5a5c8c |
Path: /root/spr_out/armdns |
File |
d46b96e9374ea6988836ddd1b7f964ee |
Path: /root/spr_out/armtshd |
Image |
hildeteamtnt/dockerfirst:latest |
https://hub.docker.com/r/hildeteamtnt/dockerfirst |
IP address |
45[.]9[.]148[.]123 |
Attacker’s C2 server |
IP address |
178[.]255[.]151[.]130, 39[.]104[.]93[.]238 |
Attacker’s IP address |
Domain |
teamtnt[.]red |
Attacker’s remote resource |