Google AdSense Leak

Now i see why they closed my account lol. I am a former Google employee and I am writing this to leak information to the public of what I witnessed and took part in while being an employee. My position was to deal with AdSense accounts, more specifically the accounts of publishers (not advertisers). I Google AdSense Leak

Ransomware GandCrab v5.0.4

Our ruski hecker snk is still hunting for money. Downloader : http://92.63.197.48/m/tm.exe hxxp://92.63.197.48/m/mb.exe Here some samples from snk bots,malwares also uncpaked bY Xylitol Trik Bot 2.5 sample. hxxp://filestorage.biz/download.php?file=3084255e737c1968b06d97242fe297ac Password for the archive : secretzone.io

billerimpex.com(Grandcrab4 Ransomware)

Samples : hxxp://146.0.72.139/no_malwareneedscoffee.jpg Url’s : hxxp://filestorage.biz/download.php?file=e541302686cca000584050d41e254261 hxxp://memesmix.net/media/created/dd0doq.jpg www.billerimpex.com hxxp://gandcrabmfe6mnef.onion/68763f12385ff103

bticoin.su(Monero Miner)

Domains contacted : “bticoin.su”  “xmr.pool.minergate.com” Sample : hxxps://multiup.org/download/fd770cb19017e1dfdb190493a5c17fb4/rig.exe

GandCrab v4 Ransomware CnC

The sample looks like Carberp with ransomware option added . Contacts domains :  “www.billerimpex.com”  “www.macartegrise.eu”  “www.poketeg.com”  “priceclub.su”  “perovaphoto.ru”  “vision2010usa.com”  “asl-company.ru”  “www.fabbfoundation.gm”  “www.perfectfunnelblueprint.com”  “www.wash-wear.com”  “pp-panda74.ru” Contacts ips : “216.58.215.46:80”  “91.210.104.247:80”  “148.251.131.183:80”  “52.29.192.136:80”  “178.33.233.202:80”  “185.174.175.30:80”  “87.236.19.51:80”  “50.63.197.11:80”  “87.236.16.31:80”  “104.27.184.39:80”  “146.66.72.87:80”  “69.73.180.151:80”  “87.236.16.29:80” “173.247.242.133:80”  “188.165.53.185:80”  “107.178.113.162:80”  “188.64.184.90:80”  “188.64.184.90:443”  “213.186.33.3:80”  “213.186.33.3:443” Sample here : hxxp://91.210.104.247/putty.exe The sample porn.jpg downloads these GandCrab v4 Ransomware CnC

kdotraky.com(Loki Bot Hosted In Shinjiru MSC Sdn Bhd)

Sample here : hxxp://kdotraky.com/kat/herbpc.exe Panel here : hxxp://kdotraky.com/temp/ All directories listing here : hxxp://kdotraky.com/ Contacted hosts : hxxp://kdotraky.com/dot/shalwa.exe hxxp://continentalrnovers.com/ hxxp://kdotraky.com/kat hxxp://kdotraky.com/kat/herbpc.exe hxxp://kdotraky.com/temp/Panel/five/fre.php Hosting info : http://whois.domaintools.com/101.99.75.184

bookwormsbiorhythm.top(Smoke Loader + TeamViewer Rat)

Smoke Loader is used to infect with team viewer rat 4.34-2mb size of executable. Domains : bookwormsbiorhythm.top charlesadvanced.top Ip’s : 185.81.113.86:80 200.7.98.161:80 104.16.41.2:443 217.23.11.14:80 23.51.123.27:80 92.122.201.2:443 92.122.122.136:80 Samples : hxxp://185.81.113.106/ital2.exe hxxp://200.7.105.4/ital1.exe hxxp://200.7.98.161/myonly3d.exe hxxp://theplatonicsolid.com/cftmon.exe hxxp://memorywedge.net/11/cftmon.exe hxp://memorywedge.net/11/1.zip : The whole archive(shells,emailer,samples), his gmail adress to.This guy looks like big russki hecker.

bullguard09.wm01.to(Injector.DSCE Hosted In Portugal Lisbon Dotsi Unipessoal Lda.)

Resolved [ bullguard09.wm01.to ] To [ 5.206.227.248 ] Malware activity : Reads terminal service related keys (often RDP related) Sets a global windows hook to intercept keystrokes Creates a fake system process Modifies auto-execute functionality by setting/creating a value in the registry Writes data to a remote process Reads the active computer name Reads the bullguard09.wm01.to(Injector.DSCE Hosted In Portugal Lisbon Dotsi Unipessoal Lda.)

80.208.230.159(BitCoin Stealer Hosted In Lithuania Vilnius Uab Interneto Vizija)

Steals bitcoins from these vallets :  AppDataRoamingBitcoinwallet.dat AppDataRoamingLitecoinwallet.dat AppDataRoamingPPCoinwallet.dat AppDataRoamingTerracoinwallet.dat AppDataRoamingBitcoinwallet.dat AppDataRoamingLitecoinwallet.dat AppDataRoamingPPCoinwallet.dat AppDataRoamingTerracoinwallet.dat Uses email to transfer stealed wallets. Some strings from the executable : @600018e: ldarg.0    @600018f: ldc.i4.0  @6000190: callvirt 0A000052  @6000191: call 0A000053  @6000192: call 0A000054  @6000193: stloc.s V_4  @6000194: ldloc.s V_4  @6000195: ldstr ;FileSplit  @6000196: callvirt 0A000055  @6000197: brtrue.s label_0 80.208.230.159(BitCoin Stealer Hosted In Lithuania Vilnius Uab Interneto Vizija)