Ransomware GandCrab v5.0.4

Our ruski hecker snk is still hunting for money. Downloader : hxxp:// Here some samples from snk bots,malwares also uncpaked bY Xylitol Trik Bot 2.5 sample. hxxp://filestorage.biz/download.php?file=3084255e737c1968b06d97242fe297ac Password for the archive : secretzone.io

billerimpex.com(Grandcrab4 Ransomware)

Samples : hxxp:// Url’s : hxxp://filestorage.biz/download.php?file=e541302686cca000584050d41e254261 hxxp://memesmix.net/media/created/dd0doq.jpg www.billerimpex.com hxxp://gandcrabmfe6mnef.onion/68763f12385ff103

bticoin.su(Monero Miner)

Domains contacted : “bticoin.su”  “xmr.pool.minergate.com” Sample : hxxps://multiup.org/download/fd770cb19017e1dfdb190493a5c17fb4/rig.exe

GandCrab v4 Ransomware CnC

The sample looks like Carberp with ransomware option added . Contacts domains :  “www.billerimpex.com”  “www.macartegrise.eu”  “www.poketeg.com”  “priceclub.su”  “perovaphoto.ru”  “vision2010usa.com”  “asl-company.ru”  “www.fabbfoundation.gm”  “www.perfectfunnelblueprint.com”  “www.wash-wear.com”  “pp-panda74.ru” Contacts ips : “”  “”  “”  “”  “”  “”  “”  “”  “”  “”  “”  “”  “” “”  “”  “”  “”  “”  “”  “” Sample here : hxxp:// The sample porn.jpg downloads these

kdotraky.com(Loki Bot Hosted In Shinjiru MSC Sdn Bhd)

Sample here : hxxp://kdotraky.com/kat/herbpc.exe Panel here : hxxp://kdotraky.com/temp/ All directories listing here : hxxp://kdotraky.com/ Contacted hosts : hxxp://kdotraky.com/dot/shalwa.exe hxxp://continentalrnovers.com/ hxxp://kdotraky.com/kat hxxp://kdotraky.com/kat/herbpc.exe hxxp://kdotraky.com/temp/Panel/five/fre.php Hosting info : http://whois.domaintools.com/

bookwormsbiorhythm.top(Smoke Loader + TeamViewer Rat)

Smoke Loader is used to infect with team viewer rat 4.34-2mb size of executable. Domains : bookwormsbiorhythm.top charlesadvanced.top Ip’s : Samples : hxxp:// hxxp:// hxxp:// hxxp://theplatonicsolid.com/cftmon.exe hxxp://memorywedge.net/11/cftmon.exe hxp://memorywedge.net/11/1.zip : The whole archive(shells,emailer,samples), his gmail adress to.This guy looks like big russki hecker.

bullguard09.wm01.to(Injector.DSCE Hosted In Portugal Lisbon Dotsi Unipessoal Lda.)

Resolved [ bullguard09.wm01.to ] To [ ] Malware activity : Reads terminal service related keys (often RDP related) Sets a global windows hook to intercept keystrokes Creates a fake system process Modifies auto-execute functionality by setting/creating a value in the registry Writes data to a remote process Reads the active computer name Reads the Stealer Hosted In Lithuania Vilnius Uab Interneto Vizija)

Steals bitcoins from these vallets :  AppDataRoamingBitcoinwallet.dat AppDataRoamingLitecoinwallet.dat AppDataRoamingPPCoinwallet.dat AppDataRoamingTerracoinwallet.dat AppDataRoamingBitcoinwallet.dat AppDataRoamingLitecoinwallet.dat AppDataRoamingPPCoinwallet.dat AppDataRoamingTerracoinwallet.dat Uses email to transfer stealed wallets. Some strings from the executable : @600018e: ldarg.0    @600018f: ldc.i4.0  @6000190: callvirt 0A000052  @6000191: call 0A000053  @6000192: call 0A000054  @6000193: stloc.s V_4  @6000194: ldloc.s V_4  @6000195: ldstr ;FileSplit  @6000196: callvirt 0A000055  @6000197: brtrue.s label_0

flipcoin.co(Pony hosted in United States Piscataway Shock Hosting Llc)

Domain : “flipcoin.co” Resolved [ flipcoin.co ] To [ ] Sample : hxxp://flipcoin.co/pony/bin.exe Random panels and samples from Gaudox,Neutrino,Solar,Pony,Herpes,Betabot here : hxxp://flipcoin.co/ Hosting infos : http://whois.domaintools.com/