bookwormsbiorhythm.top(Smoke Loader + TeamViewer Rat)

Smoke Loader is used to infect with team viewer rat 4.34-2mb size of executable. Domains : bookwormsbiorhythm.top charlesadvanced.top Ip’s : 185.81.113.86:80 200.7.98.161:80 104.16.41.2:443 217.23.11.14:80 23.51.123.27:80 92.122.201.2:443 92.122.122.136:80 Samples : hxxp://185.81.113.106/ital2.exe hxxp://200.7.105.4/ital1.exe hxxp://200.7.98.161/myonly3d.exe hxxp://theplatonicsolid.com/cftmon.exe hxxp://memorywedge.net/11/cftmon.exe hxp://memorywedge.net/11/1.zip : The whole archive(shells,emailer,samples), his gmail adress to.This guy looks like big russki hecker.

bullguard09.wm01.to(Injector.DSCE Hosted In Portugal Lisbon Dotsi Unipessoal Lda.)

Resolved [ bullguard09.wm01.to ] To [ 5.206.227.248 ] Malware activity : Reads terminal service related keys (often RDP related) Sets a global windows hook to intercept keystrokes Creates a fake system process Modifies auto-execute functionality by setting/creating a value in the registry Writes data to a remote process Reads the active computer name Reads the

80.208.230.159(BitCoin Stealer Hosted In Lithuania Vilnius Uab Interneto Vizija)

Steals bitcoins from these vallets :  AppDataRoamingBitcoinwallet.dat AppDataRoamingLitecoinwallet.dat AppDataRoamingPPCoinwallet.dat AppDataRoamingTerracoinwallet.dat AppDataRoamingBitcoinwallet.dat AppDataRoamingLitecoinwallet.dat AppDataRoamingPPCoinwallet.dat AppDataRoamingTerracoinwallet.dat Uses email to transfer stealed wallets. Some strings from the executable : @600018e: ldarg.0    @600018f: ldc.i4.0  @6000190: callvirt 0A000052  @6000191: call 0A000053  @6000192: call 0A000054  @6000193: stloc.s V_4  @6000194: ldloc.s V_4  @6000195: ldstr ;FileSplit  @6000196: callvirt 0A000055  @6000197: brtrue.s label_0