The sample looks like Carberp with ransomware option added . Contacts domains : “www.billerimpex.com” “www.macartegrise.eu” “www.poketeg.com” “priceclub.su” “perovaphoto.ru” “vision2010usa.com” “asl-company.ru” “www.fabbfoundation.gm” “www.perfectfunnelblueprint.com” “www.wash-wear.com” “pp-panda74.ru” Contacts ips : “216.58.215.46:80” “91.210.104.247:80” “148.251.131.183:80” “52.29.192.136:80” “178.33.233.202:80” “185.174.175.30:80” “87.236.19.51:80” “50.63.197.11:80” “87.236.16.31:80” “104.27.184.39:80” “146.66.72.87:80” “69.73.180.151:80” “87.236.16.29:80” “173.247.242.133:80” “188.165.53.185:80” “107.178.113.162:80” “188.64.184.90:80” “188.64.184.90:443” “213.186.33.3:80” “213.186.33.3:443” Sample here : hxxp://91.210.104.247/putty.exe The sample porn.jpg downloads theseRead more...
kdotraky.com(Loki Bot Hosted In Shinjiru MSC Sdn Bhd)
Sample here : hxxp://kdotraky.com/kat/herbpc.exe Panel here : hxxp://kdotraky.com/temp/ All directories listing here : hxxp://kdotraky.com/ Contacted hosts : hxxp://kdotraky.com/dot/shalwa.exe hxxp://continentalrnovers.com/ hxxp://kdotraky.com/kat hxxp://kdotraky.com/kat/herbpc.exe hxxp://kdotraky.com/temp/Panel/five/fre.php Hosting info : http://whois.domaintools.com/101.99.75.184
185.121.139.214 (Pony Hosted in United Kingdom London Hydra Communications Ltd)
Gate here : hxxp://185.121.139.214/pon/gate.php Sample here : hxxp://185.121.139.214/pon/loader.exe Hosting infos : http://whois.domaintools.com/185.121.139.214
bookwormsbiorhythm.top(Smoke Loader + TeamViewer Rat)
Smoke Loader is used to infect with team viewer rat 4.34-2mb size of executable. Domains : bookwormsbiorhythm.top charlesadvanced.top Ip’s : 185.81.113.86:80 200.7.98.161:80 104.16.41.2:443 217.23.11.14:80 23.51.123.27:80 92.122.201.2:443 92.122.122.136:80 Samples : hxxp://185.81.113.106/ital2.exe hxxp://200.7.105.4/ital1.exe hxxp://200.7.98.161/myonly3d.exe hxxp://theplatonicsolid.com/cftmon.exe hxxp://memorywedge.net/11/cftmon.exe hxp://memorywedge.net/11/1.zip : The whole archive(shells,emailer,samples), his gmail adress to.This guy looks like big russki hecker.
bullguard09.wm01.to(Injector.DSCE Hosted In Portugal Lisbon Dotsi Unipessoal Lda.)
Resolved [ bullguard09.wm01.to ] To [ 5.206.227.248 ] Malware activity : Reads terminal service related keys (often RDP related) Sets a global windows hook to intercept keystrokes Creates a fake system process Modifies auto-execute functionality by setting/creating a value in the registry Writes data to a remote process Reads the active computer name Reads theRead more...
80.208.230.159(BitCoin Stealer Hosted In Lithuania Vilnius Uab Interneto Vizija)
Steals bitcoins from these vallets : AppDataRoamingBitcoinwallet.dat AppDataRoamingLitecoinwallet.dat AppDataRoamingPPCoinwallet.dat AppDataRoamingTerracoinwallet.dat AppDataRoamingBitcoinwallet.dat AppDataRoamingLitecoinwallet.dat AppDataRoamingPPCoinwallet.dat AppDataRoamingTerracoinwallet.dat Uses email to transfer stealed wallets. Some strings from the executable : @600018e: ldarg.0 @600018f: ldc.i4.0 @6000190: callvirt 0A000052 @6000191: call 0A000053 @6000192: call 0A000054 @6000193: stloc.s V_4 @6000194: ldloc.s V_4 @6000195: ldstr ;FileSplit @6000196: callvirt 0A000055 @6000197: brtrue.s label_0Read more...
flipcoin.co(Pony hosted in United States Piscataway Shock Hosting Llc)
Domain : “flipcoin.co” Resolved [ flipcoin.co ] To [ 144.208.125.231 ] Sample : hxxp://flipcoin.co/pony/bin.exe Random panels and samples from Gaudox,Neutrino,Solar,Pony,Herpes,Betabot here : hxxp://flipcoin.co/ Hosting infos : http://whois.domaintools.com/144.208.125.231
rkskumzb.com(SageCrypt ransomware hosted in Russian Federation Samara Jsc Er-telecom Holding
Domains used by the sample : rkskumzb.com 46.0.141.233 gesofgamd.com 46.173.218.203 Path from webserver : /ykbi9t1w8/index.php Sample : hxxps://formwest.co/nst.exe Hosting infos : https://whois.domaintools.com/46.0.141.233
majcc2.punkdns.vip(Imminent Monitor Hosted in Russian Federation Moscow Anmaxx Internett-tjenester)
Domain : majcc2.punkdns.vip Host and Port : 185.145.44.11:1414 Sample : hxxp://ssd4.pdns.cz/1500/s500.exe Hosting Infos : https://whois.domaintools.com/185.145.44.11
Gen:Variant.Symm(Hosted In China ASN: 9808 (Guangdong Mobile Communication Co.Ltd.)
Domain : qq120668082.f3322.net Host and Port : 120.210.207.142:5551 Sample : hxxp://117.41.185.216:9999/mimi.exe Hosting Infos : https://whois.domaintools.com/120.210.207.142