← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Xwo - A Python-based bot scanner
WHITE AlienVault 2019-03-26 Modified: 2019-04-02
30
IOCs
MEDIUM VOLUME
Python-based bot compiled for Windows that has the ability to scan for default credentials in ftp, mysql, postgresql, mongodb, redis, memcached Tomcat, phpMyAdmin, VNC, RSYNC. It also has the ability to scan for default svn and GIT paths and www backup paths. Once it finds valid credentials, it reports them to a C2 address.
malwarewindowsbotpythonpostgresqlmysqlmemcachedredisRSYNCalien labs
Indicators of Compromise (30)
All URL FileHash-SHA256 hostname domain FileHash-MD5 FileHash-SHA1
TYPEINDICATORDESCRIPTIONCREATED
URL http://bucket-chain.oss-cn-hongkong.aliyuncs.com/xwo.exe 2019-03-26
FileHash-SHA256 6408c69e802de04e949ed3047dc1174ef20125603ce7ba5c093e820cb77b1ae1 2019-03-26
hostname s.rapid7.xyz 2019-03-26
hostname s.blockchainbdgpzk.tk 2019-03-26
hostname s.pcrisk.xyz 2019-03-26
hostname s.propub3r6espa33w.tk 2019-03-26
domain pcrisk.xyz 2019-03-27
domain propub3r6espa33w.tk 2019-03-27
domain blockchainbdgpzk.tk 2019-03-27
URL http://s.blockchainbdgpzk.tk/ci2 2019-03-27
URL http://s.rapid7.xyz/ci2 2019-03-27
URL http://s.propub3r6espa33w.tk/ci2 2019-03-27
URL http://s.pcrisk.xyz/ci2 2019-03-27
FileHash-MD5 fd67a98599b08832cf8570a641712301 2019-03-27
FileHash-SHA1 1faf363809f266bb2d90fb8d3fc43c18253d0048 2019-03-27
hostname d.pcrisk.xyz 2019-03-27
URL http://s.rapid7.xyz/c3 2019-03-28
URL http://s.pcrisk.xyz/c3 2019-03-28
URL http://s.blockchainbdgpzk.tk/c3 2019-03-28
domain swb.one 2019-03-28
domain flash90sfs0f.tk 2019-03-28
hostname cs.rapid7.xyz 2019-03-28
hostname png.propub3r6espa33w.tk 2019-03-28
hostname cs.pcrisk.xyz 2019-03-28
URL http://u.swb.one/ 2019-03-28
URL http://u.swb.one/cracksk 2019-03-28
URL http://u.swb.one/cidir 2019-03-28
URL http://clone.flash90sfs0f.tk/ 2019-03-28
hostname u.swb.one 2019-03-28
hostname clone.flash90sfs0f.tk 2019-03-28
References (1)
↗ https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner