Month: January 2016

DHL Phishing Script (Hosted In United States Provo Websitewelcome.com)

Resolved : [ rentmyryde.com ] To [ 192.232.247.118 ] Principal page : hxxp://rentmyryde.com/css/DHL/DHL/tracking.php DHL.zip here : hxxp://rentmyryde.com/css/ Lamers behind the script : Created BY Mr-Anobs/Modified By Realone Hosting Infos : http://whois.domaintools.com/192.232.247.118

inmrvogurin.ru(Pony Hosted In Macao Macau Alan Hqservers Web Studio)

This guy keep changing domainnames but he uses the same shit. Resolved : [ inmrvogurin.ru ] To [ 163.53.247.144 ] URL’S : hxxp://inmrvogurin.ru/SY/test/gate.php hxxp://inmrvogurin.ru/SY/test/admin.php TF leters in red maybe a tribute to trojanforge. Sample here : hxxp://inmrvogurin.ru/SY/test/micro.exe Hosting Infos : http://whois.domaintools.com/163.53.247.144

proexti.ufam.edu.br(Trojan.Win32.Generic Hosted In Brazil Manaus Associacao Rede Nacional De Ensino E Pesquisa)

This is the downloader : hxxp://www.xup.in/dl,79161341/010-RELATORIOFINAL_2601.doc.exe.7z/ Domain used to donwload the trojan : hellolink.biz 110.4.45.31 URL : hxxp://hellolink.biz/pinjam.my/counter/WinProc.zip unzip the file the trojan exe is inside. Trojan is packed with Themida and gets file from here : proexti.ufam.edu.br/xmlrpc/content/count/B/fix.php Hosting Infos : http://whois.domaintools.com/200.129.163.16

paydbills.ru(Pony Hosted In Macao Macau Alan Hqservers Web Studio)

Resolved : [ paydbills.ru ] To [ 163.53.247.144 ] Behaviours 1 Attempts to brute force passwords 2 Contains FTP stealing routine 3 Deletes itself 4 Manipulates Internet Explorer settings 5 Runs existing executable 6 Searches for digital certificates 7 Steals data 8 Steals local browser data 9 Suspicious delay URL’S : hxxp://paydbills.ru/RF/test/gate.php hxxp://www.facebook.com/ Sample here

idan.work(BetaBot Hosted In United States Wilmington Hostus )

Thanks to Xylitol for confirming this is Betabot.  Domain :  idan.work 162.245.216.60  Behaviours : 1 Contains Windows Firewall manipulation routine 2 Creates autorun registry key 3 Creates hook to unknown module 4 Deletes itself 5 Injects code into other processes 6 Makes DNS lookup of recently registered domain 7 Manipulates Internet Explorer settings 8 Runs

icanhazip.com(Malware Using Tor Hosted In United States Matawan Choopa Llc)

Domain :  icanhazip.com 45.32.200.23 Resolved : [ icanhazip.com ] To [45.32.200.23 ] Resolved : [ icanhazip.com ] To [ 104.238.162.182 ] Other ip’s used : 104.238.162.182 76.73.17.194 193.23.244.244 86.59.21.38 46.101.151.222  Opened Listening Ports: 9050   tcp 1028   tcp Executable is spoofed to .mp4. Get it here :  hxxp://www.datafilehost.com/d/5d690b34 Hosting Infos : http://whois.domaintools.com/45.32.200.23

seevu.net Waldek Trojan Hosted In (Netherlands Dronten Disk Group Ltd.)

Behaviours 1 Attempts connections to suspicious countries 2 Automatically unpack its own code 3 Creates hook to unknown module 4 Injects code into other processes 5 Makes DNS lookup of recently registered domain 6 Runs existing executable Dns Lookup seevu.net 185.36.102.105 siloovoox.net 188.165.28.225 Sample here : hxxp://www.datafilehost.com/d/384b8efc Hosting Infos : http://whois.domaintools.com/185.36.102.105

cojun15cart.com(HTTP Malware Hosted In United States Ashburn Amazon.com Inc.)

cojun15cart.com 23.22.255.164 Description : Contains anti-debugging code It makes use of some deprecated flags in the Characteristics field of FileHeader PE section has SizeOfRawData set to zero  Behaviours : Automatically unpack its own code Deletes itself Deletes itself after reboot Drops .EXE file Manipulates Internet Explorer settings Runs existing executable Suspicious delay  TCP Connections Type