bticoin.su(Monero Miner)

Domains contacted :

"bticoin.su"
 "xmr.pool.minergate.com"

Sample :
hxxps://multiup.org/download/fd770cb19017e1dfdb190493a5c17fb4/rig.exe

GandCrab v4 Ransomware CnC

The sample looks like Carberp with ransomware option added .

Contacts domains :

 "www.billerimpex.com"
 "www.macartegrise.eu"
 "www.poketeg.com"
 "priceclub.su"
 "perovaphoto.ru"
 "vision2010usa.com"
 "asl-company.ru"
 "www.fabbfoundation.gm"
 "www.perfectfunnelblueprint.com"
 "www.wash-wear.com"
 "pp-panda74.ru"

Contacts ips :

"216.58.215.46:80"
 "91.210.104.247:80"
 "148.251.131.183:80"
 "52.29.192.136:80"
 "178.33.233.202:80"
 "185.174.175.30:80"
 "87.236.19.51:80"
 "50.63.197.11:80"
 "87.236.16.31:80"
 "104.27.184.39:80"
 "146.66.72.87:80"
 "69.73.180.151:80"
 "87.236.16.29:80"
"173.247.242.133:80"
 "188.165.53.185:80"
 "107.178.113.162:80"
 "188.64.184.90:80"
 "188.64.184.90:443"
 "213.186.33.3:80"
 "213.186.33.3:443"

Sample here : hxxp://91.210.104.247/putty.exe
The sample porn.jpg downloads these url's :
http://megaupper.com/files/WGDJVYRH/porn.jpg

hxxp://91.210.104.247/emotet.txt
hxxp://91.210.104.247/debug.txt
hxxp://91.210.104.247/putty.exe
hxxp://91.210.104.247/zerophage_fuck_yourself.exe



kdotraky.com(Loki Bot Hosted In Shinjiru MSC Sdn Bhd)

Sample here : hxxp://kdotraky.com/kat/herbpc.exe

Panel here : hxxp://kdotraky.com/temp/

All directories listing here : hxxp://kdotraky.com/

Contacted hosts :

hxxp://kdotraky.com/dot/shalwa.exe
hxxp://continentalrnovers.com/
hxxp://kdotraky.com/kat
hxxp://kdotraky.com/kat/herbpc.exe
hxxp://kdotraky.com/temp/Panel/five/fre.php

Hosting info :
http://whois.domaintools.com/101.99.75.184

185.121.139.214 (Pony Hosted in United Kingdom London Hydra Communications Ltd)

Gate here : hxxp://185.121.139.214/pon/gate.php

Sample here : hxxp://185.121.139.214/pon/loader.exe

Hosting infos :
http://whois.domaintools.com/185.121.139.214

bookwormsbiorhythm.top(Smoke Loader + TeamViewer Rat)

Smoke Loader is used to infect with team viewer rat 4.34-2mb size of executable.

Domains :

bookwormsbiorhythm.top
charlesadvanced.top

Ip's :

185.81.113.86:80
200.7.98.161:80
104.16.41.2:443
217.23.11.14:80
23.51.123.27:80
92.122.201.2:443
92.122.122.136:80

Samples :

hxxp://185.81.113.106/ital2.exe
hxxp://200.7.105.4/ital1.exe
hxxp://200.7.98.161/myonly3d.exe
hxxp://theplatonicsolid.com/cftmon.exe
hxxp://memorywedge.net/11/cftmon.exe

hxp://memorywedge.net/11/1.zip :
The whole archive(shells,emailer,samples), his gmail adress to.This guy looks like big russki hecker.