Month: February 2020

kbbxnq.am.files.1drv.com(Loki Bot Hosted In United States Of America Des Moines Microsoft Corporation)

Uncategorized

Connects to random domains like : kbbxnq.am.files.1drv.com Downloads encrypted file from : hxxps://onedrive.live.com/download?cid=95FCF6A0982EDBAA&resid=95FCF6A0982EDBAA%21384&authkey=ADToz6om2_g4nq4 Steals Data from : Vivaldi, Maple Studio, SecureFX, Pocomail, Chromium, KiTTY, NCH Fling, Orbitum, AbleFTP, IncrediMail, Internet Explorer / Edge, CocCoc, Bitvise SSH Client, Microsoft Outlook, NCH Classic FTP, BlazeFTP, WinChips, Epic Privacy Browser, Pidgin, PuTTY, Automize, FAR Manager, Yandex Browser, ComodoRead more...

185.126.201.167 (Loki Bot Hosted In IRAN)

Uncategorized

Direct connection to : 185.126.201.167 Steals Data from : Vivaldi, Maple Studio, SecureFX, Pocomail, Chromium, KiTTY, NCH Fling, Orbitum, AbleFTP, IncrediMail, Internet Explorer / Edge, CocCoc, Bitvise SSH Client, Microsoft Outlook, NCH Classic FTP, BlazeFTP, WinChips, Epic Privacy Browser, Pidgin, PuTTY, Automize, FAR Manager, Yandex Browser, Comodo Dragon, Chrome Canary, JaSFTP, Google Chrome, Total Commander,Read more...

myehterwallet.top Loki bot (Hosted in China Hangzhou Alibaba.com Llc)

Uncategorized

Encrypted configuration : hxxp://myehterwallet.top/UJZfOVD59Rue1AtQ/conf.php Panel Login : hxxp://myehterwallet.top/UJZfOVD59Rue1AtQ/login.php Behavior : Steals data from browsers chrome,firefox,internet explorer/Edge , steals data from applications like WinSCP,Pidgin , steals data from Microsoft Outlook via registry. Sample : hxxp://45.141.86.139/update/updatewallet.exe   Hosting Info : hxxp://whois.domaintools.com/47.254.174.146  

batlxt.org Loki Bot (Hosted in Russian Federation Moscow Mail.ru Llc)

Uncategorized

Domain name : batlxt.org IP :  95.163.214.100 URL : http://batlxt.org/y8x/pin.php Steals Credentials From Local FTP Client Softwares : C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml C:\Users\user\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db C:\Program Files (x86)\FTPGetter\Profile\servers.xml C:\Users\user\AppData\Roaming\FTPGetter\servers.xml C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat key: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts key: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts key: HKEY_CURRENT_USER\Software\Ghisler\Total Commander key: HKEY_CURRENT_USER\Software\LinasFTP\Site Manager Sample : hxxp://107.189.10.150/HT/7845100.jpg Hosting infos: hxxp://whois.domaintools.com/95.163.214.100

fentq.org Loki Bot (Hosted In Russian Federation Moscow Mail.ru Llc)

Uncategorized

Domain : fentq.org Ip : 89.208.196.209 HxxP: http://fentq.org/x/index.php Steals info from filezilla : C:\Users\user\AppData\Roaming\filezilla\recentservers.xml Steals info from browsers : C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@www1.euro.dell[1].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@i.dell[2].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@dell[1].txt Sample : Hosting Infos :hxxp://107.189.10.150/E/5097110.exe hxxp://whois.domaintools.com/89.208.196.209