The Ransomware is hosted with Tor. Domain Address Country qbstdn6k7iivyki2.onion.direct 5.135.181.100 France HTTP Requests : 5.135.181.100:80 (qbstdn6k7iivyki2.onion.direct) GET /lending/bot.php?name=4m4qn8F4804DA9-83EC&kod=tFpJtvsF^lUPeqDDzAQnkOeFfH]zSstunSA[dotBceHrJvZpTz&pid=2 GET /lending/bot.php?name=4m4qn8F4804DA9-83EC&kod=tFpJtvsF^lUPeqDDzAQnkOeFfH]zSstunSA[dotBceHrJvZpTz&pid=2 HTTP/1.1 Host: qbstdn6k7iivyki2.onion.direct Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; Synapse)Read more...
nellisrealestate.com(Pony Hosted In United States Los Angeles Inmotion Hosting Inc.)
HTTP Requests : hxxp://nellisrealestate.com/wp-includes/images/okk/panelnew/gate.php hxxp://nellisrealestate.com/wp-includes/images/okk/panelnew/pony.exe hxxp://nellisrealestate.com/wp-includes/images/okk/ panel zip here. Hosting Infos : http://whois.domaintools.com/205.134.241.105
rutland-property.co.uk(Banking Malware Hosted In United States Lansing Liquid Web Inc.)
Domain and IP : rutland-property.co.uk 67.227.187.84 Panel : hxxp://rutland-property.co.uk/winner/panelnew/gate.php Sample : hxxp://rutland-property.co.uk/winner/panelnew/winner.exe Hosting Infos : http://whois.domaintools.com/67.227.187.84
Trojan Downloader Hosted In 66 Diferent ip’s
This sample contains a trojan downloader : hxxp://193.28.179.40/loader/harsh02.exe around 1mb size. Hosts List : 94.153.127.132 41.38.71.138 94.254.52.140 46.149.62.141 123.28.95.142 134.17.160.109 178.129.117.110 85.17.31.111 91.246.240.111 5.105.31.117 77.123.167.4 95.65.55.6 178.151.65.6 176.116.194.6 82.211.132.7 180.176.214.13 46.118.178.14 95.76.169.18 5.105.39.19 176.37.119.19 211.120.158.247 46.118.63.248 91.123.153.248 213.111.223.250 27.2.103.254 106.242.117.85 5.105.56.87 117.40.213.89 77.122.167.93 81.198.206.95 173.240.15.54 46.119.56.56 145.249.166.60 77.121.186.60 89.43.129.64 78.139.185.21 176.8.198.22 89.41.38.24 73.38.63.24 182.234.149.25 91.209.96.3 93.79.182.11Read more...
kdsk3afdiolpgejs.onion.to(Zeus Variant Hosted In Germany Berlin Individual Network Berlin E.v.)
Tor is used to host the bot . Here is the sample : hxxp://kdsk3afdiolpgejs.onion.to/sphinx/bot.exe Looking up kdsk3afdiolpgejs.onion.to… Resolved to: 217.197.83.197 Other hosts contacted by the bot : 193.23.244.244 212.112.245.170 76.73.17.194 Hosting Infos : http://whois.domaintools.com/217.197.83.197
indianmoneybag.in(HTTP Password Stealer Hosted In United States Provo Unified Layer)
Mybe Zeus variant. Domains : repository.certum.pl 213.222.201.175 www.download.windowsupdate.com 184.25.56.173 crl.certum.pl 213.222.201.210 myworkmustpayme.xyz 162.144.218.223 www.indianmoneybag.in 104.153.45.242 joemb009i.xyz 162.144.218.223 cryfreeman042.ddns.net 41.138.167.135 HTTP Requests : http://www.indianmoneybag.in/wp-content/themes/twentyfourteen/css/php/gate.php POST /wp-content/themes/twentyfourteen/css/php/gate.php HTTP/1.0 Host: www.indianmoneybag.in Accept: */* Accept-Encoding: identity, *;q=0 Content-Length: 506 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) http://myworkmustpayme.xyz/wp-admin/css/panel/config.jpg GET /wp-admin/css/panel/config.jpg HTTP/1.1 Accept: */* Connection:Read more...
86.105.33.1025(HTTP Malware Hosted In Romania Constanta Data Net Srl)
Malware steals information from browsers . Hosts : 86.105.33.102 8.254.207.30 Get sample here : hxxp://flexicall.co.uk/fsf4fd32/8ik6sc.exe Hosting Infos : http://whois.domaintools.com/86.105.33.102
pltd.myjino.ru(HTTP Malware Hosted In Russian Federation Moscow Avguro Technologies Ltd. Hosting Service Provider)
Domain Name : pltd.myjino.ru 81.177.140.144 HTTP Requests : http://pltd.myjino.ru/finsess.php Data : POST /finsess.php HTTP/1.0 Host: pltd.myjino.ru Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) Content-Type: application/x-www-form-urlencoded Content-Length: 26 1=1882869218&2=&3=&99=15&^ Get sample here : hxxp://93.95.99.172/0310_crypted.exe Hosting infos : http://whois.domaintools.com/81.177.140.144
righromonhen.ru(HTTP Trojan Password Stealer Hosted In Russian Federation Miragroup Ltd.)
righromonhen.ru 93.171.202.172 www.peak-exposure.co.uk 174.136.12.119 www.depalmaelocatelli.it 62.149.140.139 HTTP Requests hxxp://www.peak-exposure.co.uk/wp-content/plugins/cached_data/k1.exe hxxp://righromonhen.ru/gate.php hxxp://www.depalmaelocatelli.it/wp-content/plugins/cached_data/k1.exe Hosting Infos : http://whois.domaintools.com/93.171.202.172
188.138.40.39(Password Stealer Hosted In Germany ASN: 8972 intergenia AG)
Tries to steal FTP credentials details “WAREsmartftpclient 2.0settingsbackup” (Indicator: “smartftp”) Sample here. Server : 188.138.40.39:18892 Hosting Infos : http://whois.domaintools.com/188.138.40.39