92.63.197.190(Ruski Email Worm Hosted In AS60307 HVFOPSERVER-AS, UA)

Uncategorized

Dangerous worm spreading through mails probably our old friend snk. Defense EvasionObscures a file’s origin : Tries to delete zone identifier of file “C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\pe.exe”. Tries to delete zone identifier of file “C:\Windows\230531292821781\svchost.exe”. Tries to delete zone identifier of file “C:\Users\5P5NRG~1\AppData\Local\Temp\1762129910.exe”. Tries to delete zone identifier of file “C:\Users\5P5NRG~1\AppData\Local\Temp\2759815991.exe”. Tries to delete zone identifier ofRead more...

kbbxnq.am.files.1drv.com(Loki Bot Hosted In United States Of America Des Moines Microsoft Corporation)

Uncategorized

Connects to random domains like : kbbxnq.am.files.1drv.com Downloads encrypted file from : hxxps://onedrive.live.com/download?cid=95FCF6A0982EDBAA&resid=95FCF6A0982EDBAA%21384&authkey=ADToz6om2_g4nq4 Steals Data from : Vivaldi, Maple Studio, SecureFX, Pocomail, Chromium, KiTTY, NCH Fling, Orbitum, AbleFTP, IncrediMail, Internet Explorer / Edge, CocCoc, Bitvise SSH Client, Microsoft Outlook, NCH Classic FTP, BlazeFTP, WinChips, Epic Privacy Browser, Pidgin, PuTTY, Automize, FAR Manager, Yandex Browser, ComodoRead more...

185.126.201.167 (Loki Bot Hosted In IRAN)

Uncategorized

Direct connection to : 185.126.201.167 Steals Data from : Vivaldi, Maple Studio, SecureFX, Pocomail, Chromium, KiTTY, NCH Fling, Orbitum, AbleFTP, IncrediMail, Internet Explorer / Edge, CocCoc, Bitvise SSH Client, Microsoft Outlook, NCH Classic FTP, BlazeFTP, WinChips, Epic Privacy Browser, Pidgin, PuTTY, Automize, FAR Manager, Yandex Browser, Comodo Dragon, Chrome Canary, JaSFTP, Google Chrome, Total Commander,Read more...

myehterwallet.top Loki bot (Hosted in China Hangzhou Alibaba.com Llc)

Uncategorized

Encrypted configuration : hxxp://myehterwallet.top/UJZfOVD59Rue1AtQ/conf.php Panel Login : hxxp://myehterwallet.top/UJZfOVD59Rue1AtQ/login.php Behavior : Steals data from browsers chrome,firefox,internet explorer/Edge , steals data from applications like WinSCP,Pidgin , steals data from Microsoft Outlook via registry. Sample : hxxp://45.141.86.139/update/updatewallet.exe   Hosting Info : hxxp://whois.domaintools.com/47.254.174.146  

batlxt.org Loki Bot (Hosted in Russian Federation Moscow Mail.ru Llc)

Uncategorized

Domain name : batlxt.org IP :  95.163.214.100 URL : http://batlxt.org/y8x/pin.php Steals Credentials From Local FTP Client Softwares : C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml C:\Users\user\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db C:\Program Files (x86)\FTPGetter\Profile\servers.xml C:\Users\user\AppData\Roaming\FTPGetter\servers.xml C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat key: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts key: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts key: HKEY_CURRENT_USER\Software\Ghisler\Total Commander key: HKEY_CURRENT_USER\Software\LinasFTP\Site Manager Sample : hxxp://107.189.10.150/HT/7845100.jpg Hosting infos: hxxp://whois.domaintools.com/95.163.214.100

fentq.org Loki Bot (Hosted In Russian Federation Moscow Mail.ru Llc)

Uncategorized

Domain : fentq.org Ip : 89.208.196.209 HxxP: http://fentq.org/x/index.php Steals info from filezilla : C:\Users\user\AppData\Roaming\filezilla\recentservers.xml Steals info from browsers : C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@www1.euro.dell[1].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@i.dell[2].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@dell[1].txt Sample : Hosting Infos :hxxp://107.189.10.150/E/5097110.exe hxxp://whois.domaintools.com/89.208.196.209    

Ransomware GandCrab v5.0.4

Uncategorized

Our ruski hecker snk is still hunting for money. Downloader : http://92.63.197.48/m/tm.exe hxxp://92.63.197.48/m/mb.exe Here some samples from snk bots,malwares also uncpaked bY Xylitol Trik Bot 2.5 sample. hxxp://filestorage.biz/download.php?file=3084255e737c1968b06d97242fe297ac Password for the archive : secretzone.io

billerimpex.com(Grandcrab4 Ransomware)

Uncategorized

Samples : hxxp://146.0.72.139/no_malwareneedscoffee.jpg Url’s : hxxp://filestorage.biz/download.php?file=e541302686cca000584050d41e254261 hxxp://memesmix.net/media/created/dd0doq.jpg www.billerimpex.com hxxp://gandcrabmfe6mnef.onion/68763f12385ff103

bticoin.su(Monero Miner)

Uncategorized

Domains contacted : “bticoin.su”  “xmr.pool.minergate.com” Sample : hxxps://multiup.org/download/fd770cb19017e1dfdb190493a5c17fb4/rig.exe

GandCrab v4 Ransomware CnC

Uncategorized

The sample looks like Carberp with ransomware option added . Contacts domains :  “www.billerimpex.com”  “www.macartegrise.eu”  “www.poketeg.com”  “priceclub.su”  “perovaphoto.ru”  “vision2010usa.com”  “asl-company.ru”  “www.fabbfoundation.gm”  “www.perfectfunnelblueprint.com”  “www.wash-wear.com”  “pp-panda74.ru” Contacts ips : “216.58.215.46:80”  “91.210.104.247:80”  “148.251.131.183:80”  “52.29.192.136:80”  “178.33.233.202:80”  “185.174.175.30:80”  “87.236.19.51:80”  “50.63.197.11:80”  “87.236.16.31:80”  “104.27.184.39:80”  “146.66.72.87:80”  “69.73.180.151:80”  “87.236.16.29:80” “173.247.242.133:80”  “188.165.53.185:80”  “107.178.113.162:80”  “188.64.184.90:80”  “188.64.184.90:443”  “213.186.33.3:80”  “213.186.33.3:443” Sample here : hxxp://91.210.104.247/putty.exe The sample porn.jpg downloads theseRead more...