kbbxnq.am.files.1drv.com(Loki Bot Hosted In United States Of America Des Moines Microsoft Corporation)

Connects to random domains like : kbbxnq.am.files.1drv.com Downloads encrypted file from : hxxps://onedrive.live.com/download?cid=95FCF6A0982EDBAA&resid=95FCF6A0982EDBAA%21384&authkey=ADToz6om2_g4nq4 Steals Data from : Vivaldi, Maple Studio, SecureFX, Pocomail, Chromium, KiTTY, NCH Fling, Orbitum, AbleFTP, IncrediMail, Internet Explorer / Edge, CocCoc, Bitvise SSH Client, Microsoft Outlook, NCH Classic FTP, BlazeFTP, WinChips, Epic Privacy Browser, Pidgin, PuTTY, Automize, FAR Manager, Yandex Browser, Comodo kbbxnq.am.files.1drv.com(Loki Bot Hosted In United States Of America Des Moines Microsoft Corporation)

185.126.201.167 (Loki Bot Hosted In IRAN)

Direct connection to : 185.126.201.167 Steals Data from : Vivaldi, Maple Studio, SecureFX, Pocomail, Chromium, KiTTY, NCH Fling, Orbitum, AbleFTP, IncrediMail, Internet Explorer / Edge, CocCoc, Bitvise SSH Client, Microsoft Outlook, NCH Classic FTP, BlazeFTP, WinChips, Epic Privacy Browser, Pidgin, PuTTY, Automize, FAR Manager, Yandex Browser, Comodo Dragon, Chrome Canary, JaSFTP, Google Chrome, Total Commander, 185.126.201.167 (Loki Bot Hosted In IRAN)

myehterwallet.top Loki bot (Hosted in China Hangzhou Alibaba.com Llc)

Encrypted configuration : hxxp://myehterwallet.top/UJZfOVD59Rue1AtQ/conf.php Panel Login : hxxp://myehterwallet.top/UJZfOVD59Rue1AtQ/login.php Behavior : Steals data from browsers chrome,firefox,internet explorer/Edge , steals data from applications like WinSCP,Pidgin , steals data from Microsoft Outlook via registry. Sample : hxxp://45.141.86.139/update/updatewallet.exe   Hosting Info : hxxp://whois.domaintools.com/47.254.174.146  

batlxt.org Loki Bot (Hosted in Russian Federation Moscow Mail.ru Llc)

Domain name : batlxt.org IP :  95.163.214.100 URL : http://batlxt.org/y8x/pin.php Steals Credentials From Local FTP Client Softwares : C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml C:\Users\user\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db C:\Program Files (x86)\FTPGetter\Profile\servers.xml C:\Users\user\AppData\Roaming\FTPGetter\servers.xml C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat key: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts key: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts key: HKEY_CURRENT_USER\Software\Ghisler\Total Commander key: HKEY_CURRENT_USER\Software\LinasFTP\Site Manager Sample : hxxp://107.189.10.150/HT/7845100.jpg Hosting infos: hxxp://whois.domaintools.com/95.163.214.100

fentq.org Loki Bot (Hosted In Russian Federation Moscow Mail.ru Llc)

Domain : fentq.org Ip : 89.208.196.209 HxxP: http://fentq.org/x/index.php Steals info from filezilla : C:\Users\user\AppData\Roaming\filezilla\recentservers.xml Steals info from browsers : C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@www1.euro.dell[1].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@i.dell[2].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@dell[1].txt Sample : Hosting Infos :hxxp://107.189.10.150/E/5097110.exe hxxp://whois.domaintools.com/89.208.196.209    

Google AdSense Leak

Now i see why they closed my account lol. I am a former Google employee and I am writing this to leak information to the public of what I witnessed and took part in while being an employee. My position was to deal with AdSense accounts, more specifically the accounts of publishers (not advertisers). I Google AdSense Leak

Ransomware GandCrab v5.0.4

Our ruski hecker snk is still hunting for money. Downloader : http://92.63.197.48/m/tm.exe hxxp://92.63.197.48/m/mb.exe Here some samples from snk bots,malwares also uncpaked bY Xylitol Trik Bot 2.5 sample. hxxp://filestorage.biz/download.php?file=3084255e737c1968b06d97242fe297ac Password for the archive : secretzone.io

billerimpex.com(Grandcrab4 Ransomware)

Samples : hxxp://146.0.72.139/no_malwareneedscoffee.jpg Url’s : hxxp://filestorage.biz/download.php?file=e541302686cca000584050d41e254261 hxxp://memesmix.net/media/created/dd0doq.jpg www.billerimpex.com hxxp://gandcrabmfe6mnef.onion/68763f12385ff103

bticoin.su(Monero Miner)

Domains contacted : “bticoin.su”  “xmr.pool.minergate.com” Sample : hxxps://multiup.org/download/fd770cb19017e1dfdb190493a5c17fb4/rig.exe

GandCrab v4 Ransomware CnC

The sample looks like Carberp with ransomware option added . Contacts domains :  “www.billerimpex.com”  “www.macartegrise.eu”  “www.poketeg.com”  “priceclub.su”  “perovaphoto.ru”  “vision2010usa.com”  “asl-company.ru”  “www.fabbfoundation.gm”  “www.perfectfunnelblueprint.com”  “www.wash-wear.com”  “pp-panda74.ru” Contacts ips : “216.58.215.46:80”  “91.210.104.247:80”  “148.251.131.183:80”  “52.29.192.136:80”  “178.33.233.202:80”  “185.174.175.30:80”  “87.236.19.51:80”  “50.63.197.11:80”  “87.236.16.31:80”  “104.27.184.39:80”  “146.66.72.87:80”  “69.73.180.151:80”  “87.236.16.29:80” “173.247.242.133:80”  “188.165.53.185:80”  “107.178.113.162:80”  “188.64.184.90:80”  “188.64.184.90:443”  “213.186.33.3:80”  “213.186.33.3:443” Sample here : hxxp://91.210.104.247/putty.exe The sample porn.jpg downloads these GandCrab v4 Ransomware CnC