Hide Your RDP: Password Spray Leads to RansomHub Deployment

    Date: 07/01/2025

    Severity: High

    Summary

    The intrusion started in November 2024 with a password spray attack against an exposed RDP server. The attacker attempted multiple logins over several hours using accounts and IPs flagged in OSINT sources. Eventually, they gained RDP access with a compromised account and executed discovery commands to enumerate users and systems. Tools like Mimikatz and Nirsoft CredentialsFileView were then used to extract credentials and access LSASS memory.

    Indicators of Compromise (IOC) List

    IP Address : 

    185.190.24.54

    185.190.24.33

    164.138.90.2

    38.180.245.207

    Hash : 

    eba5bfca73c2754fbf93ed64fa224132  

    b746c91e014205db94f775bb6db480387c9ebc20

    ec45ebd938e363e36cacb42e968a960fbe4e21ced511f0ea2c0790b743ff3c67

    6f3a658fc32b4a378716ac167ebaf5ac  

    19138d3c197ee1e59756d1f4fc3fd66809f44c1b

    25117dcb2d852df15fe44c5757147e7038f289e6156b0f6ab86d02c0e97328cb

    a768244ca664349a6d1af84a712083c0  

    39300863bcaad71e5d4efc9a1cae118440aa778f

    e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c

    8e0b1f8390acb832dbf3abadeb7e5fd3  

    02e6ff95949fdf341daee846820d40289ab65985

    4775dfb24f85f5d776f538018a98cc6a9853a1840f5c00b7d0c54695f03a11d9

    1cc1534b70b8d2b99b69a721c83e586a  

    6ac2d77631f775797cd0029e199a5dfe83f47b4c

    ffd09a5c27938d1f7424ed66d1474cfeb3df72daabdf10e09f161ed1ffd21271

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address : 

    dstipaddress IN ("38.180.245.207","164.138.90.2","185.190.24.33","185.190.24.54") or srcipaddress IN ("38.180.245.207","164.138.90.2","185.190.24.33","185.190.24.54")

    Hash 1 : 

    md5hash IN ("a768244ca664349a6d1af84a712083c0","eba5bfca73c2754fbf93ed64fa224132","6f3a658fc32b4a378716ac167ebaf5ac","8e0b1f8390acb832dbf3abadeb7e5fd3","1cc1534b70b8d2b99b69a721c83e586a")

    Hash 2 :

    sha1hash IN ("b746c91e014205db94f775bb6db480387c9ebc20","19138d3c197ee1e59756d1f4fc3fd66809f44c1b","39300863bcaad71e5d4efc9a1cae118440aa778f","02e6ff95949fdf341daee846820d40289ab65985","6ac2d77631f775797cd0029e199a5dfe83f47b4c")

    Hash 3 :

    sha256hash IN ("ec45ebd938e363e36cacb42e968a960fbe4e21ced511f0ea2c0790b743ff3c67","25117dcb2d852df15fe44c5757147e7038f289e6156b0f6ab86d02c0e97328cb","e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c","4775dfb24f85f5d776f538018a98cc6a9853a1840f5c00b7d0c54695f03a11d9","ffd09a5c27938d1f7424ed66d1474cfeb3df72daabdf10e09f161ed1ffd21271")

    Reference:

    https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/#indicators


    Tags

    MalwareRansomwareMimikatzNirsoft

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags