kbbxnq.am.files.1drv.com(Loki Bot Hosted In United States Of America Des Moines Microsoft Corporation)

Connects to random domains like : kbbxnq.am.files.1drv.com Downloads encrypted file from : hxxps://onedrive.live.com/download?cid=95FCF6A0982EDBAA&resid=95FCF6A0982EDBAA%21384&authkey=ADToz6om2_g4nq4 Steals Data from : Vivaldi, Maple Studio, SecureFX, Pocomail, Chromium, KiTTY, NCH Fling, Orbitum, AbleFTP, IncrediMail, Internet Explorer / Edge, CocCoc, Bitvise SSH Client, Microsoft Outlook, NCH Classic FTP, BlazeFTP, WinChips, Epic Privacy Browser, Pidgin, PuTTY, Automize, FAR Manager, Yandex Browser, Comodo kbbxnq.am.files.1drv.com(Loki Bot Hosted In United States Of America Des Moines Microsoft Corporation)

185.126.201.167 (Loki Bot Hosted In IRAN)

Direct connection to : 185.126.201.167 Steals Data from : Vivaldi, Maple Studio, SecureFX, Pocomail, Chromium, KiTTY, NCH Fling, Orbitum, AbleFTP, IncrediMail, Internet Explorer / Edge, CocCoc, Bitvise SSH Client, Microsoft Outlook, NCH Classic FTP, BlazeFTP, WinChips, Epic Privacy Browser, Pidgin, PuTTY, Automize, FAR Manager, Yandex Browser, Comodo Dragon, Chrome Canary, JaSFTP, Google Chrome, Total Commander, 185.126.201.167 (Loki Bot Hosted In IRAN)

myehterwallet.top Loki bot (Hosted in China Hangzhou Alibaba.com Llc)

Encrypted configuration : hxxp://myehterwallet.top/UJZfOVD59Rue1AtQ/conf.php Panel Login : hxxp://myehterwallet.top/UJZfOVD59Rue1AtQ/login.php Behavior : Steals data from browsers chrome,firefox,internet explorer/Edge , steals data from applications like WinSCP,Pidgin , steals data from Microsoft Outlook via registry. Sample : hxxp://45.141.86.139/update/updatewallet.exe   Hosting Info : hxxp://whois.domaintools.com/47.254.174.146  

batlxt.org Loki Bot (Hosted in Russian Federation Moscow Mail.ru Llc)

Domain name : batlxt.org IP :  95.163.214.100 URL : http://batlxt.org/y8x/pin.php Steals Credentials From Local FTP Client Softwares : C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml C:\Users\user\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db C:\Program Files (x86)\FTPGetter\Profile\servers.xml C:\Users\user\AppData\Roaming\FTPGetter\servers.xml C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat key: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts key: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts key: HKEY_CURRENT_USER\Software\Ghisler\Total Commander key: HKEY_CURRENT_USER\Software\LinasFTP\Site Manager Sample : hxxp://107.189.10.150/HT/7845100.jpg Hosting infos: hxxp://whois.domaintools.com/95.163.214.100

fentq.org Loki Bot (Hosted In Russian Federation Moscow Mail.ru Llc)

Domain : fentq.org Ip : 89.208.196.209 HxxP: http://fentq.org/x/index.php Steals info from filezilla : C:\Users\user\AppData\Roaming\filezilla\recentservers.xml Steals info from browsers : C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@www1.euro.dell[1].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@i.dell[2].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@dell[1].txt Sample : Hosting Infos :hxxp://107.189.10.150/E/5097110.exe hxxp://whois.domaintools.com/89.208.196.209